Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Is My Computer Still Infected? Hijack This Log Attached


  • This topic is locked This topic is locked
3 replies to this topic

#1 Tricia40

Tricia40

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:11:00 AM

Posted 27 April 2008 - 09:00 PM

Ok -
I've been having problems for quite some time now. I have ESET smart security - that never finds the problems - but today I ran Adaware pro and it picked up the win32.agent trojan. I had it delete the file but I'm not sure if everything is removed.

The problems I am having are - that when I surf I often get redirected to false sites.
(I only use Mozilla firefox to surf the web) I could not log onto the computer as an administrator
because of "account restrictions" (even after I had changed the password however as of today this seems to be fixed! yay!)
and ...
Whatever is in my computer seems to be keeping track of every program I launch and every document I look at. Someone told me that this is just normal HP crap - but at one point i was seeing compressed zip folders which contained all my personal pictures and word documents.
There is a "history" listing under c:docs & Settings:Hp-Owner and that's where all this stuff appears.

I'd really appreciate any help you can give me. I think this thing got pretty deep into the computer. Some of the files (which I was able to open in notepad) even indicate that there is "an impersonated win32 server" and there are several "trace" files on the computer as well - tracking my activity.

ESET doesn't launch at startup and the bug seems to be adding exclusions to all the virus software I have that prevent them from detecting it. ( I was surprised that the win32 agent was detected at all - I have run Adaware several times and it found nothing before today)

(When I ran rootkit revealer it picked up some registry entries with embedded nulls - and there seem to be some policy changes to my security settings?? )

I've attached the Hijack this log I just ran...again...

Pls help if you can. ( : 0

let me know if you need any more info ...
and THANKS!

Hijack this log - Tricia - 4-27-08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:18 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5165 bytes

BC AdBot (Login to Remove)

 


#2 Tricia40

Tricia40
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:11:00 AM

Posted 27 April 2008 - 09:38 PM

Hi -
I think I may have some malware on my computer.
(I posted earlier but then read the preparation before posting a log instructions- sorry!)
Here's the result of the DSS scan.
Pls reply as soon as you can.

Thanks

Pat


Deckard's System Scanner v20071014.68
Run by HP_Owner on 2008-04-27 22:34:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
50: 2008-04-28 02:34:36 UTC - RP50 - Deckard's System Scanner Restore Point
49: 2008-04-27 21:54:07 UTC - RP49 - Removed HP Deskjet Printer Preload
48: 2008-04-27 20:19:11 UTC - RP48 - after phantom game load.
47: 2008-04-27 19:23:43 UTC - RP47 - Configured Woodsy Winnings
46: 2008-04-27 19:17:10 UTC - RP46 - Installed Woodsy Winnings


-- First Restore Point --
1: 2008-02-20 00:16:16 UTC - RP1 - Removed Norton Security Center


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:34 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\DOCUME~1\HP_Owner\Desktop\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5085 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-27 18:10:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-27 17:28:32 0 d-------- C:\Program Files\Enigma Software Group
2008-04-27 14:09:49 0 d-------- C:\Program Files\Phantom EFX
2008-04-27 13:44:44 0 d-------- C:\Program Files\Canon
2008-04-27 13:44:18 0 d-------- C:\WINDOWS\Profiles
2008-04-27 13:44:16 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\InterTrust
2008-04-27 13:42:49 0 d--h----- C:\CanoScan
2008-04-27 12:49:05 0 dr-h----- C:\Documents and Settings\HP_Owner\Recent
2008-04-27 12:40:08 16384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-04-27 12:40:08 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-25 00:59:52 0 d-------- C:\WINDOWS\system32\FxsTmp
2008-04-24 18:55:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 23:38:45 237568 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-04-23 23:38:45 3944448 --a------ C:\Documents and Settings\HP_Owner\ntuser.dat
2008-04-23 11:41:53 0 d-------- C:\Program Files\Western Digital
2008-04-22 23:05:16 0 d-------- C:\Documents and Settings\All Users\SonicStage
2008-04-22 23:01:44 0 d-------- C:\Program Files\Sony Corporation
2008-04-22 23:01:03 757760 --a------ C:\WINDOWS\system32\CDDBUI.dll <Not Verified; Gracenote; CDDBUIControl Module>
2008-04-22 23:01:03 630784 --a------ C:\WINDOWS\system32\CDDBControl.dll <Not Verified; Gracenote (formerly CDDB, Inc.); CDDBControl Core Module>
2008-04-22 23:00:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-04-22 23:00:17 0 d-------- C:\Program Files\Sony
2008-04-22 22:59:50 0 d-------- C:\Program Files\Common Files\Sony Shared
2008-04-22 22:59:50 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Sony Corporation
2008-04-22 13:13:59 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-22 12:33:53 96577 --a------ C:\WINDOWS\hpqins16.dat
2008-04-22 12:11:19 0 d-------- C:\Program Files\iPod
2008-04-22 12:11:15 0 d-------- C:\Program Files\iTunes
2008-04-22 12:10:54 0 d-------- C:\Program Files\Bonjour
2008-04-22 12:10:31 0 d-------- C:\Program Files\QuickTime
2008-04-22 12:10:15 0 d-------- C:\Program Files\Apple Software Update
2008-04-22 12:10:08 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-22 12:09:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-22 12:09:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-20 22:00:09 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Thunderbird
2008-04-20 22:00:04 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-04-20 18:18:16 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-04-20 18:16:48 0 d-------- C:\Program Files\Lavasoft
2008-04-20 17:59:52 0 d-------- C:\Program Files\ScanSpyware v3.8.0.4
2008-04-20 16:54:35 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-19 17:46:18 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Help
2008-04-19 16:54:13 0 d-------- C:\WINDOWS\system32\NtmsData
2008-03-28 17:34:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-04-27 18:08:58 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000004-00001102-00000004-20051102}.dat
2008-04-27 18:08:58 384 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000004-00001102-00000004-20051102}.dat
2008-04-27 15:17:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-27 13:44:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-23 20:17:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2008-04-22 22:59:50 0 d-------- C:\Program Files\Common Files
2008-04-22 12:33:35 0 d-------- C:\Program Files\HP
2008-04-22 12:33:30 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-22 12:27:22 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll <Not Verified; Hewlett Packard; Hewlett Packard Rediscovery Library>
2008-04-20 22:00:11 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Mozilla
2008-04-20 20:31:51 906 --a------ C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-03-13 18:34:48 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Template
2008-03-07 11:22:12 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-02 13:47:04 0 d-------- C:\Program Files\Google
2008-03-02 02:39:20 0 d-------- C:\Program Files\WildTangent
2008-03-02 00:47:04 0 d-------- C:\Program Files\Online Services
2008-03-01 22:29:17 0 d-------- C:\Program Files\Common Files\Real
2008-03-01 22:29:10 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Real
2008-03-01 12:19:27 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Adobe
2008-02-19 20:43:21 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-19 20:35:47 69069 --a------ C:\WINDOWS\hpoins05.dat
2008-02-19 02:52:23 50 --a------ C:\AUTOEXEC.BAT
2008-02-19 02:19:08 14554 --a------ C:\WINDOWS\system32\CHODDI.SYS
2008-02-19 02:03:42 47832 --a------ C:\WINDOWS\hpiins01.dat
2008-02-19 02:02:58 94364 --a------ C:\WINDOWS\HPHins03.dat
2008-02-19 01:59:43 50500 --a------ C:\WINDOWS\hpdins05.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/25/2005 07:34 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e29e2fbc-b976-11d9-bac2-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52bb27a-10ea-11dd-bc9d-0013d43b41b3}]
AutoRun\command- F:\WD_Windows_Tools\Setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-27 22:36:05 ------------

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:00 PM

Posted 14 May 2008 - 10:39 AM

ello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:00 PM

Posted 20 May 2008 - 12:56 PM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users