Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Trojan.win32.small.uf - Computer Running Sluggish


  • This topic is locked This topic is locked
14 replies to this topic

#1 wsolis

wsolis

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 17 April 2008 - 09:32 AM

Hi,

My computer is running slow and hangs alot. No particular error, just hangs. I have antivirus CA software, and it says it removes 322 threats, but the same threats seem to come back after reboot. I ran DSS and kaspersky. Here are the logs:

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-04-14 13:51:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
66: 2008-04-14 18:51:44 UTC - RP205 - Deckard's System Scanner Restore Point
65: 2008-04-12 20:08:59 UTC - RP204 - System Checkpoint
64: 2008-04-10 01:44:45 UTC - RP203 - System Checkpoint
63: 2008-04-08 20:29:22 UTC - RP202 - Software Distribution Service 3.0
62: 2008-04-08 00:34:23 UTC - RP201 - System Checkpoint


-- First Restore Point --
1: 2008-01-12 15:42:46 UTC - RP140 - Windows Defender Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:43 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Compaq_Owner.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: H - {D3992FA1-7712-49ae-A6D5-927FE2F17632} - kotiss.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/ca/en/securityadvisor/pe...an/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8209 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080219-171534-261 O15 - Trusted Zone: *.whataboutadog.com
backup-20080219-171534-281 O15 - Trusted Zone: *.doginhispen.com
backup-20080219-171534-436 O15 - Trusted Zone: *.whataboutarabit.com

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys (file missing)
S3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys (file missing)
S3 smserial - c:\windows\system32\drivers\smserial.sys (file missing)
S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-14 10:10:02 356 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2008-03-30 19:57:28 470 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Compaq_Owner at 6 33 PM.job
2008-03-11 19:43:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 13:48:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 13:48:47 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 13:48:44 0 d-------- C:\WINDOWS\LastGood
2008-04-12 17:07:41 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Download Manager
2008-04-12 17:07:37 0 d-------- C:\Program Files\Akamai
2008-03-28 13:53:35 0 d-------- C:\Program Files\Microsoft Silverlight


-- Find3M Report ---------------------------------------------------------------

2008-04-14 13:27:35 0 d-------- C:\Program Files\Common Files
2008-04-13 16:20:01 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-04-10 00:33:42 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\FileZilla
2008-04-09 09:23:54 900 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-27 08:38:43 0 d-------- C:\Program Files\FileZilla Client
2008-03-13 15:07:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-19 18:30:51 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-02-19 18:30:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 17:59:12 0 d-------- C:\Program Files\Trend Micro
2008-01-19 12:12:09 3649 --a------ C:\WINDOWS\viassary-hp.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3992FA1-7712-49ae-A6D5-927FE2F17632}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\bak\qttask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 10:18 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [01/15/2008 06:23 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [01/31/2008 01:48 PM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [01/31/2008 01:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 06:43 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [03/06/2008 09:54 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 02:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^j2 4.2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\j2 4.2.lnk
backup=C:\WINDOWS\pss\j2 4.2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link Wireless G WDA-1320]
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
"C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield]
"C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01108ea2-27a7-11dc-9da0-806d6172696f}]
AutoRun\command- G:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2008-04-14 13:56:45 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 759.48 MiB / 398.75 MiB
Pagefile Memory (total/avail): 1859.72 MiB / 1532.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.3 MiB

C: is Fixed (NTFS) - 71.43 GiB total, 36.79 GiB free.
D: is Fixed (FAT32) - 5.25 GiB total, 0.75 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is Removable (No Media)

\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 76.69 GiB - 2 partitions
\PARTITION0 - Unknown - 5.26 GiB - D:
\PARTITION1 (bootable) - Installable File System - 71.43 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE5 - HP photosmart 7700 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: CA Anti-Virus v9.0.0.165 (CA, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Enabled:BackWeb for Presario"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-4F1261A8E5
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\YOUR-4F1261A8E5
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=YOUR-4F1261A8E5
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Agere Systems PCI Soft Modem --> agrsmdel
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
Any Video Converter 2.0.7 --> "C:\Program Files\Any Video Converter\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
CA Anti-Spyware --> "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\setup\ccinstaller.exe" /u /silent /module="pp"
CA Anti-Virus --> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\unvet32.exe
CA Internet Security Suite --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u
CA Pest Patrol Realtime Protection --> MsiExec.exe /X{F05A5232-CE5E-4274-AB27-44EB8105898D}
Cinderella's Dollhouse Preview --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\DISNEY~1\DeIsL1.isu
Compaq Connections --> C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 6750491
Compaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
Corel Paint Shop Pro X --> MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
Crimson Editor (remove only) --> C:\Program Files\Crimson Editor\uninstall.exe
DVDFab Platinum 3.1.7.0 --> "C:\Program Files\DVDFab Platinum 3\unins000.exe"
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
FileZilla Client 3.0.8.1 --> C:\Program Files\FileZilla Client\uninstall.exe
Full Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
Help and Support Additions --> C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Driver Diagnostics --> MsiExec.exe /X{6314D540-E3C1-4F30-AEEB-4154C93375C3}
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{5469D537-9B44-4c78-BF2D-5F9807564F74}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
j2 Messenger 4.2 --> C:\Program Files\j2 Messenger 4.2\Uninstall.exe
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.16.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Publisher 2002 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Money Investment Toolbox --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:5
Netscape Navigator (9.0.0.6) --> C:\Program Files\Netscape\Navigator 9\uninstall\helper.exe
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
PC-Doctor for Windows --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA} /l1033
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzscr01.exe -datfile hphscr01.dat
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Simply Safe Backup Free Edition --> "C:\Program Files\Simply Safe Backup 2005\Uninstall.exe" "C:\Program Files\Simply Safe Backup 2005\install.log"
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Wireless G WDA-1320 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{D3815721-7859-40E2-846A-0C9461BDCD8D}
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1128 / Error
Event Submitted/Written: 04/13/2008 04:59:29 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1087 / Error
Event Submitted/Written: 04/10/2008 02:19:26 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1081 / Error
Event Submitted/Written: 04/10/2008 08:58:08 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9d.ocx, version 9.0.47.0, fault address 0x0008a1da.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1063 / Warning
Event Submitted/Written: 04/09/2008 09:24:08 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type1062 / Warning
Event Submitted/Written: 04/09/2008 09:24:08 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS', component '{ACD935F6-53F3-469B-842F-2CE17B80840C}' failed. The resource 'HKEY_CURRENT_USER\Software\Corel\Auto Update\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Interval' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type32443 / Warning
Event Submitted/Written: 04/13/2008 09:23:56 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type32404 / Warning
Event Submitted/Written: 04/13/2008 04:05:09 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type32183 / Error
Event Submitted/Written: 04/11/2008 01:35:48 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.104 for the Network Card with network address 0015E9B75E20 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type32175 / Warning
Event Submitted/Written: 04/11/2008 10:13:01 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type32168 / Warning
Event Submitted/Written: 04/11/2008 09:17:09 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-04-14 13:56:45 ------------


KASPERSKY ONLINE SCANNER REPORT
Monday, April 14, 2008 5:06:51 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/04/2008
Kaspersky Anti-Virus database records: 704411


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 21074
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:17:22

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SMINST\RECGUARD.EXE Infected: Trojan.Win32.Small.uf skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system\hpsysdrv.exe Infected: Trojan.Win32.Small.uf skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe Infected: Trojan.Win32.Small.uf skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF234A.tmp Object is locked skipped

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF26A5.tmp Object is locked skipped

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF28F5.tmp Object is locked skipped

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF30E6.tmp Object is locked skipped

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF652C.tmp Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 26 April 2008 - 04:41 AM

Hi wsolis

Download FindAWF and save the file to your desktop
  • Double-click on FindAWF.exe to start the program
  • Follow the prompts, then press 1 and Enter to scan
  • A log file called awf.txt will be opened in Notepad, please save this to your Desktop and post the contents in your next response.
Once complete, please post the FindAWF report and a new HijackThis log
Teacher at Malware Removal University | ASAP & UNITE Member

#3 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 28 April 2008 - 08:09 PM

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.
Teacher at Malware Removal University | ASAP & UNITE Member

#4 wsolis

wsolis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 30 April 2008 - 05:45 PM

Yes, I do still need help. Sorry it took me a couple of days to respond...thank you for waiting.

Here are the logs you requested:


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 04/30/2008
The current time is: 17:35:05.37


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 09:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/10/2007 09:18 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\J2MESS~1.2\BAK

07/14/2006 03:03 PM 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/02/2007 05:17 PM 28,176 qttask.exe
1 File(s) 28,176 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

07/01/2007 11:30 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

09/12/2007 12:24 PM 182 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:00 PM 15,360 ctfmon.exe
11/02/2004 05:59 PM 126,976 hkcmd.exe
07/07/2005 11:55 PM 491,520 hphmon05.exe
09/12/2003 09:13 PM 98,304 ps2.exe
4 File(s) 732,160 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 11:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\ANI\ANIWZC~1\BAK

11/30/2005 10:35 AM 49,152 WZCSLDR2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 05:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\D-LINK\WIRELE~1\BAK

12/14/2005 03:56 PM 2,711,552 AirGCFG.exe
1 File(s) 2,711,552 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

12/05/2003 03:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{5372B~1\BAK

07/07/2005 11:55 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/11/2007 06:16 PM 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

03/28/2007 05:10 PM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/29/2005 06:44 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/15/2005 10:17 AM 176,128 hpztsb12.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
270648 Jul 10 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
270648 Jul 10 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 11 2008 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 Jul 10 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
24080 Aug 28 2007 "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe"
107008 Jul 14 2006 "C:\Program Files\j2 Messenger 4.2\bak\J2GDllCmd.exe"
24080 Aug 28 2007 "C:\Program Files\QuickTime\QTTask.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
24080 Aug 28 2007 "C:\Program Files\QuickTime\QTTask.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
111840 Jan 15 2008 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Jul 1 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
24080 Aug 28 2007 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
246 Aug 28 2007 "C:\WINDOWS\system\hpsysdrv.dat"
182 Sep 12 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
24080 Aug 28 2007 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\bak\hphmon05.exe"
98304 Sep 12 2003 "C:\hp\drivers\keyboard\PS2.EXE"
98304 Sep 12 2003 "C:\WINDOWS\system32\bak\ps2.exe"
24080 Aug 28 2007 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
24080 Aug 28 2007 "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
49152 Nov 30 2005 "C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
24080 Aug 28 2007 "C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe"
2711552 Dec 14 2005 "C:\Program Files\D-Link\Wireless G WDA-1320\bak\AirGCFG.exe"
24080 Aug 28 2007 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
24080 Aug 28 2007 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
24080 Aug 28 2007 "C:\Program Files\QuickTime\QTTask.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 11 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe1191363623"
224248 Mar 28 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
180269 Jan 29 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Jan 29 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
24080 Aug 28 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
24080 Aug 28 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe"
176128 Jul 15 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"


end of report



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:18 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: H - {D3992FA1-7712-49ae-A6D5-927FE2F17632} - kotiss.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/ca/en/securityadvisor/pe...an/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://www.pbs.org/parents/images/tvprogra...rt-superwhy.jpg

--
End of file - 8610 bytes

#5 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 30 April 2008 - 10:44 PM

Hi wsolis,

Your machine has malware which affects legitimate files so it's easy to be reinfected, to prevent this I would ask you to please not make changes to your system (adding/removing software, etc) until we have cleaned it.
  • Highlight all the text in the FindAWF file list below and copy it to the clipboard by pressing Ctrl + C (or highlight the text, right-click it and select Copy)
  • Double-click on FindAWF.exe to start the program
  • Press any key to reach the menu screen, then press 2 and Enter
  • Press any key and a text file will open, click below the horizontal line and then press Ctrl + V to paste in the text (or click below the line, then right-click and select Paste)
  • Then save and close the Notepad file
  • FindAWF will then run and a new report will be produced, please post the contents of this in your next response.

"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\j2 Messenger 4.2\bak\J2GDllCmd.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
"C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\D-Link\Wireless G WDA-1320\bak\AirGCFG.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
"C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"


------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
attrib -r -s -h "C:\Program Files\QuickTime\QTTask.exe" >> results.txt 2>>&1
del /q /a /f "C:\Program Files\QuickTime\QTTask.exe" >> results.txt 2>>&1
attrib -r -s -h "C:\Program Files\QuickTime\bak\qttask.exe" >> results.txt 2>>&1
del /q /a /f "C:\Program Files\QuickTime\bak\qttask.exe" >> results.txt 2>>&1
copy /y "C:\Program Files\QuickTime\bak\bak\qttask.exe" "C:\Program Files\QuickTime\QTTask.exe" >> results.txt 2>>&1
dir /a "C:\Program Files\QuickTime\QTTask.exe" >> results.txt 2>>&1
dir /a "C:\Program Files\QuickTime\bak\qttask.exe" >> results.txt 2>>&1
dir /a "C:\Program Files\QuickTime\bak\bak\qttask.exe" >> results.txt 2>>&1
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Once complete, please post the new FindAWF report, the new results.txt output and a new HijackThis log.
Teacher at Malware Removal University | ASAP & UNITE Member

#6 wsolis

wsolis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 02 May 2008 - 05:32 PM

Hi,

Here is the new files as you requested:


FINDAWF.EXE



Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Fri 05/02/2008
The current time is: 17:25:58.89


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 09:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/10/2007 09:18 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\J2MESS~1.2\BAK

07/14/2006 03:03 PM 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/02/2007 05:17 PM 28,176 qttask.exe
1 File(s) 28,176 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

07/01/2007 11:30 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

09/12/2007 12:24 PM 182 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:00 PM 15,360 ctfmon.exe
11/02/2004 05:59 PM 126,976 hkcmd.exe
07/07/2005 11:55 PM 491,520 hphmon05.exe
09/12/2003 09:13 PM 98,304 ps2.exe
4 File(s) 732,160 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 11:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\ANI\ANIWZC~1\BAK

11/30/2005 10:35 AM 49,152 WZCSLDR2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 05:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\D-LINK\WIRELE~1\BAK

12/14/2005 03:56 PM 2,711,552 AirGCFG.exe
1 File(s) 2,711,552 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

12/05/2003 03:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{5372B~1\BAK

07/07/2005 11:55 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/11/2007 06:16 PM 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

03/28/2007 05:10 PM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/29/2005 06:44 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/15/2005 10:17 AM 176,128 hpztsb12.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
270648 Jul 10 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
270648 Jul 10 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 11 2008 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 Jul 10 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
24080 Aug 28 2007 "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe"
107008 Jul 14 2006 "C:\Program Files\j2 Messenger 4.2\bak\J2GDllCmd.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
111840 Jan 15 2008 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Jul 1 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
24080 Aug 28 2007 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
246 Aug 28 2007 "C:\WINDOWS\system\hpsysdrv.dat"
182 Sep 12 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
24080 Aug 28 2007 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\bak\hphmon05.exe"
98304 Sep 12 2003 "C:\hp\drivers\keyboard\PS2.EXE"
98304 Sep 12 2003 "C:\WINDOWS\system32\bak\ps2.exe"
24080 Aug 28 2007 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
24080 Aug 28 2007 "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
49152 Nov 30 2005 "C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
24080 Aug 28 2007 "C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe"
2711552 Dec 14 2005 "C:\Program Files\D-Link\Wireless G WDA-1320\bak\AirGCFG.exe"
24080 Aug 28 2007 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
24080 Aug 28 2007 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 11 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe1191363623"
224248 Mar 28 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
180269 Jan 29 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Jan 29 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
24080 Aug 28 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
24080 Aug 28 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe"
176128 Jul 15 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"


end of report



results.txt

1 file(s) copied.
Volume in drive C is PRESARIO
Volume Serial Number is A81C-2008

Directory of C:\Program Files\QuickTime

06/29/2007 06:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes
0 Dir(s) 39,154,573,312 bytes free
Volume in drive C is PRESARIO
Volume Serial Number is A81C-2008

Directory of C:\Program Files\QuickTime\bak

File Not Found
Volume in drive C is PRESARIO
Volume Serial Number is A81C-2008

Directory of C:\Program Files\QuickTime\bak\bak

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes
0 Dir(s) 39,154,573,312 bytes free


HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:10 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: H - {D3992FA1-7712-49ae-A6D5-927FE2F17632} - kotiss.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/ca/en/securityadvisor/pe...an/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://www.pbs.org/parents/images/tvprogra...rt-superwhy.jpg

--
End of file - 8642 bytes

#7 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 02 May 2008 - 09:53 PM

Hi wsolis,

Unfortunately, that doesn't appear to have worked as expected, we'll use a different method:

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
del /q "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe"
copy /y "C:\Program Files\j2 Messenger 4.2\bak\J2GDllCmd.exe" "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe"
del /q "C:\WINDOWS\SMINST\RECGUARD.EXE"
copy /y "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" "C:\WINDOWS\SMINST\RECGUARD.EXE"
del /q "C:\WINDOWS\system\hpsysdrv.exe"
copy /y "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system\hpsysdrv.exe"
del /q "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
copy /y "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe" "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
del /q "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
copy /y "C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe" "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
del /q "C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe"
copy /y "C:\Program Files\D-Link\Wireless G WDA-1320\bak\AirGCFG.exe" "C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe"
del /q "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
copy /y "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
del /q "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
copy /y "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe" "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
copy /y "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe" "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
del /q "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
copy /y "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
del /q "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe"
copy /y "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe" "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe"
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.

Then run FindAWF again:
  • Double-click on FindAWF.exe to start the program
  • Follow the prompts, then press 1 and Enter to scan
  • A log file called awf.txt will be opened in Notepad, please save this to your Desktop and post the contents in your next response.
Once complete, please post the new FindAWF report and a new HijackThis log.
Teacher at Malware Removal University | ASAP & UNITE Member

#8 wsolis

wsolis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 05 May 2008 - 09:09 AM

I have done as instructed. Here are the new files:


AWF.txt



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 05/05/2008
The current time is: 9:01:21.00


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 09:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/10/2007 09:18 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\J2MESS~1.2\BAK

07/14/2006 03:03 PM 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

07/01/2007 11:30 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

09/12/2007 12:24 PM 182 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:00 PM 15,360 ctfmon.exe
11/02/2004 05:59 PM 126,976 hkcmd.exe
07/07/2005 11:55 PM 491,520 hphmon05.exe
09/12/2003 09:13 PM 98,304 ps2.exe
4 File(s) 732,160 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 11:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\ANI\ANIWZC~1\BAK

11/30/2005 10:35 AM 49,152 WZCSLDR2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 05:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\D-LINK\WIRELE~1\BAK

12/14/2005 03:56 PM 2,711,552 AirGCFG.exe
1 File(s) 2,711,552 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

12/05/2003 03:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{5372B~1\BAK

07/07/2005 11:55 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/11/2007 06:16 PM 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

03/28/2007 05:10 PM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/29/2005 06:44 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/15/2005 10:17 AM 176,128 hpztsb12.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
270648 Jul 10 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
270648 Jul 10 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 11 2008 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 Jul 10 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
107008 Jul 14 2006 "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe"
107008 Jul 14 2006 "C:\Program Files\j2 Messenger 4.2\bak\J2GDllCmd.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
111840 Jan 15 2008 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Jul 1 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
246 Aug 28 2007 "C:\WINDOWS\system\hpsysdrv.dat"
182 Sep 12 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\bak\hphmon05.exe"
98304 Sep 12 2003 "C:\hp\drivers\keyboard\PS2.EXE"
98304 Sep 12 2003 "C:\WINDOWS\system32\bak\ps2.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
49152 Nov 30 2005 "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
49152 Nov 30 2005 "C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
2711552 Dec 14 2005 "C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe"
2711552 Dec 14 2005 "C:\Program Files\D-Link\Wireless G WDA-1320\bak\AirGCFG.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 11 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe1191363623"
224248 Mar 28 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
180269 Jan 29 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Jan 29 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
176128 Jul 15 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe"
176128 Jul 15 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"


end of report


Hijack This Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:45 AM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WordPerfect Office 12\Programs\wpwin12.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: H - {D3992FA1-7712-49ae-A6D5-927FE2F17632} - kotiss.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/ca/en/securityadvisor/pe...an/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://www.pbs.org/parents/images/tvprogra...rt-superwhy.jpg

--
End of file - 8670 bytes

#9 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 05 May 2008 - 11:55 PM

Hi wsolis,

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

Java 2 Runtime Environment, SE v1.4.2_03
JavaT 6 Update 2
JavaT SE Runtime Environment 6 Update 1

These are out of date and now a security risk, you can get the latest update (version 6 update 6) from here

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

O2 - BHO: H - {D3992FA1-7712-49ae-A6D5-927FE2F17632} - kotiss.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
copy /y "C:\hp\KBD\bak\KBD.EXE" "C:\hp\KBD\KBD.EXE"
copy /y "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32\hkcmd.exe"
copy /y "C:\WINDOWS\system32\bak\hphmon05.exe" "C:\WINDOWS\system32\hphmon05.exe"
copy /y "C:\WINDOWS\system32\bak\ps2.exe" "C:\WINDOWS\system32\ps2.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
copy /y "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe" "C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe"
copy /y "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe" "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.

Then please do another scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Next and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save Report As... button, change Save as type: to Text file and save the file to your desktop as Kaspersky.txt
Run FindAWF once more (hopefully last time!)
  • Double-click on FindAWF.exe to start the program
  • Follow the prompts, then press 1 and Enter to scan
  • A log file called awf.txt will be opened in Notepad, please save this to your Desktop and post the contents in your next response.
Once complete please post the Kaspersky report, the new FindAWF report and a new HijackThis log.
Teacher at Malware Removal University | ASAP & UNITE Member

#10 wsolis

wsolis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 06 May 2008 - 03:37 PM

KASPERSKY Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 3:26:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 742492
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 110513
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:47:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-5-6-2008( 8-40-26 ).LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Desktop\HANDBAG HOUSE\Quickbooks\willy stuff\booters\SpiderKiller\SpiderKiller\Spider Killer.exe Infected: HackTool.Win32.VB.sr skipped
C:\Documents and Settings\Compaq_Owner\Desktop\HANDBAG HOUSE\Quickbooks\willy stuff\booters\SpiderKiller.zip/SpiderKiller/Spider Killer.exe Infected: HackTool.Win32.VB.sr skipped
C:\Documents and Settings\Compaq_Owner\Desktop\HANDBAG HOUSE\Quickbooks\willy stuff\booters\SpiderKiller.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF40AC.tmp Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF448B.tmp Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF9AAB.tmp Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFF271.tmp Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Shared\suave mente.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\SharedComponents\PPRT\logs\2008-05-06.csv Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP216\A0085992.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP216\A0085993.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086059.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086060.EXE Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086061.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086062.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086063.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086064.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086065.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086066.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086067.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP218\A0086068.exe Infected: Trojan.Win32.Small.uf skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP224\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_94c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP224\change.log Object is locked skipped

Scan process completed.



AWF report



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 05/06/2008
The current time is: 15:27:35.00


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 09:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/10/2007 09:18 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\J2MESS~1.2\BAK

07/14/2006 03:03 PM 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

07/01/2007 11:30 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

09/12/2007 12:24 PM 182 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:00 PM 15,360 ctfmon.exe
11/02/2004 05:59 PM 126,976 hkcmd.exe
07/07/2005 11:55 PM 491,520 hphmon05.exe
09/12/2003 09:13 PM 98,304 ps2.exe
4 File(s) 732,160 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 11:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\ANI\ANIWZC~1\BAK

11/30/2005 10:35 AM 49,152 WZCSLDR2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 05:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\D-LINK\WIRELE~1\BAK

12/14/2005 03:56 PM 2,711,552 AirGCFG.exe
1 File(s) 2,711,552 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

12/05/2003 03:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{5372B~1\BAK

07/07/2005 11:55 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/11/2007 06:16 PM 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

03/28/2007 05:10 PM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/29/2005 06:44 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/15/2005 10:17 AM 176,128 hpztsb12.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
270648 Jul 10 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
270648 Jul 10 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 11 2008 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 Jul 10 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
107008 Jul 14 2006 "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe"
107008 Jul 14 2006 "C:\Program Files\j2 Messenger 4.2\bak\J2GDllCmd.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
111840 Jan 15 2008 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Jul 1 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
246 Aug 28 2007 "C:\WINDOWS\system\hpsysdrv.dat"
182 Sep 12 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\hphmon05.exe"
491520 Jul 7 2005 "C:\WINDOWS\system32\bak\hphmon05.exe"
98304 Sep 12 2003 "C:\WINDOWS\system32\ps2.exe"
98304 Sep 12 2003 "C:\hp\drivers\keyboard\PS2.EXE"
98304 Sep 12 2003 "C:\WINDOWS\system32\bak\ps2.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
49152 Nov 30 2005 "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
49152 Nov 30 2005 "C:\Program Files\ANI\ANIWZCS2 Service\bak\WZCSLDR2.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
2711552 Dec 14 2005 "C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe"
2711552 Dec 14 2005 "C:\Program Files\D-Link\Wireless G WDA-1320\bak\AirGCFG.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
49152 Jul 7 2005 "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 11 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe1191363623"
224248 Mar 28 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
180269 Jan 29 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jan 29 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
148888 May 6 2008 "C:\Program Files\Java\jre6\bin\jusched.exe"
143360 May 6 2008 "C:\Program Files\Java\jdk1.6.0_10\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
176128 Jul 15 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe"
176128 Jul 15 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"


end of report


HijackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:27 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/ca/en/securityadvisor/pe...an/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://www.pbs.org/parents/images/tvprogra...rt-superwhy.jpg

--
End of file - 8960 bytes

#11 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 06 May 2008 - 10:30 PM

Hi wsolis,

There are a couple further programs I recommend you remove via Start->Control Panel->Add/Remove Programs:

Full Tilt Poker has been reported as being malware-related so I strongly recommend you remove it.

You have LimeWire, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours.

------------------------------------------------------------------------

Backup Your Registry:
  • Download ERUNT to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Right-click erunt.zip, choose Extract All... and follow the prompts to unzip the program
  • Open the erunt folder on your Desktop and double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    C:\hp\KBD\bak
    C:\Program Files\iTunes\bak
    C:\Program Files\j2 Messenger 4.2\bak
    C:\Program Files\QuickTime\bak
    C:\WINDOWS\SMINST\bak
    C:\WINDOWS\system\bak
    C:\WINDOWS\system32\bak
    C:\hp\drivers\hplsbwatcher\bak
    C:\Program Files\ANI\ANIWZCS2 Service\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\D-Link\Wireless G WDA-1320\bak
    C:\Program Files\Hewlett-Packard\HP Software Update\bak
    C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak
    C:\Program Files\Hp\hpcoretech\bak
    C:\Program Files\Common Files\Real\Update_OB\bak
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
    C:\Documents and Settings\Compaq_Owner\Desktop\HANDBAG HOUSE\Quickbooks\willy stuff\booters\SpiderKiller\SpiderKiller\Spider Killer.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\HANDBAG HOUSE\Quickbooks\willy stuff\booters\SpiderKiller.zip
    C:\Documents and Settings\Compaq_Owner\Shared\suave mente.mp3
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
    EmptyTemp
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
  • Close OTMoveIt2
------------------------------------------------------------------------

Once complete, please post the OTMoveIt report along with a new HijackThis log. Also, let me know how your computer is running now.
Teacher at Malware Removal University | ASAP & UNITE Member

#12 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 09 May 2008 - 08:16 PM

How are you doing?
Teacher at Malware Removal University | ASAP & UNITE Member

#13 wsolis

wsolis
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 13 May 2008 - 09:39 AM

Hi,

I apologize for my delay in responding. I had to leave the country on short notice, and was away from my computer. Thank you for your patients and support.

My computer seems to be running better...its not as sluggish. Booting is a lot faster than it used to be.
Am I cured at this point?

Here are the logs you requested:

OTMoveIt2

C:\hp\KBD\bak moved successfully.
C:\Program Files\iTunes\bak moved successfully.
C:\Program Files\j2 Messenger 4.2\bak moved successfully.
C:\Program Files\QuickTime\bak\bak moved successfully.
C:\Program Files\QuickTime\bak moved successfully.
C:\WINDOWS\SMINST\bak moved successfully.
C:\WINDOWS\system\bak moved successfully.
C:\WINDOWS\system32\bak moved successfully.
C:\hp\drivers\hplsbwatcher\bak moved successfully.
C:\Program Files\ANI\ANIWZCS2 Service\bak moved successfully.
C:\Program Files\Common Files\Symantec Shared\bak moved successfully.
C:\Program Files\D-Link\Wireless G WDA-1320\bak moved successfully.
C:\Program Files\Hewlett-Packard\HP Software Update\bak moved successfully.
C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak moved successfully.
C:\Program Files\Hp\hpcoretech\bak moved successfully.
C:\Program Files\Common Files\Real\Update_OB\bak moved successfully.
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak moved successfully.
C:\Documents and Settings\Compaq_Owner\Desktop\HANDBAG HOUSE\Quickbooks\willy stuff\booters\SpiderKiller\SpiderKiller\Spider Killer.exe moved successfully.
C:\Documents and Settings\Compaq_Owner\Desktop\HANDBAG HOUSE\Quickbooks\willy stuff\booters\SpiderKiller.zip moved successfully.
C:\Documents and Settings\Compaq_Owner\Shared\suave mente.mp3 moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched\\ deleted successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_73c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF4C59.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF96FF.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF9AF0.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFD68F.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_358.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05132008_092711

Files moved on Reboot...
File C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_73c.dat not found!
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF4C59.tmp moved successfully.
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF96FF.tmp moved successfully.
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF9AF0.tmp moved successfully.
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFD68F.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_358.dat not found!


HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:05 AM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\notepad.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/ca/en/securityadvisor/pe...an/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://www.pbs.org/parents/images/tvprogra...rt-superwhy.jpg

--
End of file - 8161 bytes

#14 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 13 May 2008 - 10:00 AM

Hi wsolis,

Yes I think we have everything now, but there are some important final steps:

Clean up with OTMoveIt2:
  • Double-click OTMoveIt2.exe to start the program.
  • Close all other programs apart from OTMoveIt2 as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

------------------------------------------------------------------------

If the above went well, I think your machine is clean of malware :thumbsup: here are some tips to help you keep it that way:

You have a good antivirus program installed, however I recommend you install antispyware software with real-time capabilities - this means it protects you from system changes and spyware while you are working, not just removing malware after it has been installed. There are a range of paid-for and free packages available, a free one I can recommend is Windows Defender, available here:
http://www.microsoft.com/athome/security/s...re/default.mspx

I recommend you consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you use firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, one I can recommend is Comodo:
http://www.personalfirewall.comodo.com/
A tutorial on firewalls to help you get started:
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

I recommend you install a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also: subscribe to the mailing list to get update notifications.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins or ActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
Teacher at Malware Removal University | ASAP & UNITE Member

#15 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:02:46 PM

Posted 17 May 2008 - 04:23 AM

Since this issue appears to be resolved, this topic has been closed. Glad we could be of assistance.

If you are the topic starter and need this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic.
Teacher at Malware Removal University | ASAP & UNITE Member




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users