Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Some Help Finishing Cleanup From Vundo


  • This topic is locked This topic is locked
9 replies to this topic

#1 bsosbe

bsosbe

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Indiana
  • Local time:08:21 PM

Posted 06 June 2008 - 10:01 PM

I have run several online scans including Eset, Ewido Online Scan , Panda, Kaspersky, F-Secure, and Windows Live Onecare. Downloaded and ran several malware removal tools including Spybot S&D, Adaware, and Malwarebytes. The Ewido Scan, F-Secure Scan and Spybod S&D found and removed some nasties so I downloaded and ran HJT. After careful consideration through research on several forums (including this one) I removed some of the entries.

My system seems to be running a lot smoother now but I'm sure there are some things still left that needs to be addressed.

I have ran Deckard's System Scanner and OTScanIt. Here are the logs:
(Extra.txt and OTScanIt.txt attached)

Deckard's System Scanner v20071014.68
Run by HP_Owner on 2008-06-06 22:25:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-06-07 02:25:21 UTC - RP23 - Deckard's System Scanner Restore Point
2: 2008-06-06 13:54:45 UTC - RP22 - I May Never Be Clean
1: 2008-06-06 13:51:18 UTC - RP21 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:19 PM, on 6/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\PC Defender\Common\FSM32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PCDEFE~1\backweb\989252\Program\SERVIC~1.EXE
C:\Program Files\PC Defender\Anti-Virus\fsgk32st.exe
C:\Program Files\PC Defender\Anti-Virus\FSGK32.EXE
C:\Program Files\PC Defender\backweb\989252\program\fsbwsys.exe
C:\Program Files\PC Defender\Common\FSMA32.EXE
C:\Program Files\PC Defender\Anti-Virus\fssm32.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PC Defender\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Defender\backweb\989252\Program\fspex.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Defender\Common\FCH32.EXE
C:\Program Files\PC Defender\Common\FAMEH32.EXE
C:\Program Files\PC Defender\Anti-Virus\fsqh.exe
C:\Program Files\PC Defender\FSPC\fspc.exe
C:\Program Files\PC Defender\Anti-Virus\fsrw.exe
C:\Program Files\PC Defender\Anti-Virus\fsav32.exe
C:\Program Files\PC Defender\FWES\Program\fsdfwd.exe
C:\PROGRA~1\PCDEFE~1\ANTI-S~1\fsaw.exe
C:\Program Files\PC Defender\FSGUI\fsguidll.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\PC Defender\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\PC Defender\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\PC Defender\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PC Defender.lnk = C:\Program Files\PC Defender\backweb\989252\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\PC Defender\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Defender\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Defender\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Defender\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Defender\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Defender\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: PC Defender (BackWeb Plug-in - 989252) - TDS - C:\PROGRA~1\PCDEFE~1\backweb\989252\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\PC Defender\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\PC Defender\backweb\989252\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\PC Defender\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\PC Defender\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\PC Defender\Common\FSMA32.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9754 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080526-230305-233 O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
backup-20080526-230305-474 O2 - BHO: (no name) - {253FF9B4-D29A-4E6F-8204-2CB617A0513B} - (no file)
backup-20080526-230305-985 O2 - BHO: (no name) - {AE9DFE99-ED18-42F1-8CF3-0816DE8E1217} - (no file)
backup-20080526-230308-272 O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
backup-20080526-230309-152 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDCF9A64-19DB-4610-B374-6F5465D07AA1}: NameServer = 66.82.4.8
backup-20080526-230309-469 O17 - HKLM\System\CCS\Services\Tcpip\..\{9824D31A-D5CB-4E79-B2FE-FA3ACB179153}: NameServer = 216.165.129.157,216.170.153.146
backup-20080526-230309-820 O20 - Winlogon Notify: hgGvsTNE - hgGvsTNE.dll (file missing)
backup-20080526-230309-885 O17 - HKLM\System\CCS\Services\Tcpip\..\{CDCF9A64-19DB-4610-B374-6F5465D07AA1}: Domain = direcway.com
backup-20080526-230709-955 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
backup-20080527-072157-465 O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
backup-20080527-225411-985 O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
backup-20080605-153417-811 O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - (no file)
backup-20080605-154556-927 O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - (no file)
backup-20080605-154634-107 O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - (no file)
backup-20080605-155101-402 O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\pc defender\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\pc defender\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\pc defender\anti-virus\win2k\fsrec.sys
R2 permmgr - c:\windows\system32\drivers\permmgr.sys <Not Verified; Hughes Network Systems; DirecPC>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 DPCNET5U (Satellite USB Driver) - c:\windows\system32\drivers\dpcnet5u.sys <Not Verified; Hughes Network Systems; DIRECWAY>
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BackWeb Plug-in - 989252 (PC Defender) - c:\progra~1\pcdefe~1\backweb\989252\program\servic~1.exe <Not Verified; TDS; RunnerEXE Application>
R2 FSBWSYS - "c:\program files\pc defender\backweb\989252\program\fsbwsys.exe" <Not Verified; F-Secure Corp.; F-Secure BackWeb>
R2 F-Secure Gatekeeper Handler Starter (FSGKHS) - "c:\program files\pc defender\anti-virus\fsgk32st.exe" <Not Verified; F-Secure Corporation; F-Secure Corp. Startup service>
R2 FSMA - "c:\program files\pc defender\common\fsma32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R3 FSDFWD (F-Secure Anti-Virus Firewall Daemon) - "c:\program files\pc defender\fwes\program\fsdfwd.exe" <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R3 fshttps (F-Secure HTTP Server) - "c:\program files\pc defender\fspc\fshttps\fshttps.exe" <Not Verified; F-Secure Corporation; F-Secure Parental Control>

S4 DPC_SRV_WEBCAST (DIRECWAY Webcast) -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel® 82915G/GV/910GL Express Chipset Family
Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_2A08103C&REV_04\3&11583659&1&10
Manufacturer: Intel Corporation
Name: Intel® 82915G/GV/910GL Express Chipset Family
PNP Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_2A08103C&REV_04\3&11583659&1&10
Service: ialm


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 20:03:42 544 --a------ C:\WINDOWS\Tasks\Scheduled scanning task.job


-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 15:54:05 0 d-------- C:\WINDOWS\LastGood
2008-06-06 08:28:28 0 d-------- C:\WINDOWS\system32\RTCOM
2008-06-06 00:21:41 0 d-------- C:\WINDOWS\Prefetch
2008-06-06 00:09:48 0 d-------- C:\WINDOWS\system32\scripting
2008-06-06 00:09:48 0 d-------- C:\WINDOWS\l2schemas
2008-06-06 00:09:47 0 d-------- C:\WINDOWS\system32\bits
2008-06-06 00:07:27 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-05 23:56:26 0 d-------- C:\WINDOWS\EHome
2008-06-05 13:17:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-05 13:14:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-05 13:03:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-05 13:03:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-05 13:03:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-06-05 13:03:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-05 13:03:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-05 13:03:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-05 13:03:00 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-05 13:03:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-05 13:03:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-05 13:03:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-05 13:03:00 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-05 13:03:00 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-05 13:03:00 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-05 13:03:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-05 13:03:00 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-05 13:03:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-05 13:03:00 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-05 13:03:00 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-05 13:03:00 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-05 13:03:00 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-05 13:03:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-05 13:03:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-05 12:41:25 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-05 11:18:14 0 d-------- C:\Program Files\Panda Security
2008-06-05 10:06:35 0 d-------- C:\fsaua.data
2008-05-28 20:05:09 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-28 18:20:37 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\GlarySoft
2008-05-28 18:14:01 0 d-------- C:\Program Files\Registry Repair
2008-05-27 22:40:41 0 d-------- C:\Program Files\Lavasoft
2008-05-27 22:39:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 20:20:10 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-26 20:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 20:09:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 17:53:45 0 d-------- C:\Program Files\Trend Micro
2008-05-26 16:53:49 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-05-26 16:53:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 16:53:21 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 00:08:41 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 21:53:48 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-19 19:06:35 1006861 --ahs---- C:\WINDOWS\system32\gjjPAGgh.ini2
2008-05-19 09:19:19 1006841 --ahs---- C:\WINDOWS\system32\opqBcccf.ini2
2008-05-18 21:41:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 10:58:53 1345060 --ahs---- C:\WINDOWS\system32\ooVGOXbc.ini2
2008-05-18 09:16:26 1342461 --ahs---- C:\WINDOWS\system32\fOVDNXbc.ini2


-- Find3M Report ---------------------------------------------------------------

2008-06-06 00:10:17 0 d-------- C:\Program Files\Messenger
2008-06-06 00:09:47 0 d-------- C:\Program Files\Movie Maker
2008-06-06 00:07:11 0 d-------- C:\Program Files\Windows NT
2008-06-05 15:03:52 0 d-------- C:\Program Files\Java
2008-06-02 08:11:51 0 d-------- C:\Program Files\MSN Encarta Standard
2008-05-29 22:39:29 0 d-------- C:\Program Files\Diablo II
2008-05-28 16:21:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-27 22:39:55 0 d-------- C:\Program Files\Common Files
2008-05-20 00:07:42 0 d-------- C:\Program Files\Logitech
2008-05-19 16:26:06 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-05-18 21:17:54 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-18 20:34:11 0 d-------- C:\Program Files\eBay
2008-03-29 17:30:34 1187840 --a------ C:\WINDOWS\system32\winsflt.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/05/2005 03:23 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 04:55 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 11:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [05/19/2008 04:24 PM C:\WINDOWS\AGRSMMSG.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"F-Secure Manager"="C:\Program Files\PC Defender\Common\FSM32.exe" [10/25/2005 09:51 PM]
"F-Secure TNB"="C:\Program Files\PC Defender\TNB\TNBUtil.exe" [07/18/2005 10:51 AM]
"F-Secure Startup Wizard"="C:\Program Files\PC Defender\FSGUI\FSSW.exe" [10/18/2005 04:29 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [01/23/2002 01:09 PM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/15/2004 12:54 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/21/2004 09:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"Logitech Utility"="Logi_MwX.Exe" [12/17/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [06/07/2004 09:53 PM]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [06/07/2004 09:42 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 11:01 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/21/2004 09:39 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [04/13/2008 08:12 PM]
"SoundMan"="SOUNDMAN.EXE" [09/21/2005 10:24 AM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [09/21/2005 03:32 PM C:\WINDOWS\ALCWZRD.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 7:28:24 PM]
PC Defender.lnk - C:\Program Files\PC Defender\backweb\989252\Program\fspex.exe [11/12/2007 5:21:21 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGAPjjg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Skytrak Desktop Weather Center.lnk]
backup=C:\WINDOWS\pss\Skytrak Desktop Weather Center.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^SkyTracker 13 Desktop Weather Center.lnk]
backup=C:\WINDOWS\pss\SkyTracker 13 Desktop Weather Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\74d31d7c]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM77e02ee0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=3 (0x3)
"iPodService"=3 (0x3)
"DPC_SRV_WEBCAST"=2 (0x2)
"CLTNetCnService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7736df4c-d6f1-11d9-9d48-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7736df4e-d6f1-11d9-9d48-806d6172696f}]
AutoRun\command- E:\SETUP.EXE




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8382 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-06 22:29:56 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 19 June 2008 - 06:02 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

If you have not resolved these issues, turn off Selective Startup in MSConfig and create a new HJT log (not DSS at this time) and post it using Add Reply, You can return to SS without a reboot.
I would be glad to take a look.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 bsosbe

bsosbe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Indiana
  • Local time:08:21 PM

Posted 21 June 2008 - 12:03 AM

Thanks for the response. I think I've got it pretty much taken care of. Between the previous online scans and the Spybot S&D scan I did, I had several instances of virtumunde, yazzle and some trojans removed. I was only unsure of what files/registry entries I should remove and change. I removed what I thought didn't belong, comparing my system with my sons laptop and changed a registry value. I still don't know what to do if anything about the file association for .cpl files that appears in red on my dss scan. Another thing I noticed was that my guest account had been turned on, which was previously never turned on, and I found a registry entry in my hkey_users that wasn't there before. It was PE_C_ADMINISTRATOR (or something like that). And when I tried to click the + next to it to expand it, it told me access was denied. At that point I also noticed that I had absolutely no entries in hkey_local_machine -----> current control set ----->control----->LSA (which I believe is where all of my local security settings are supposed to be). At that point I panicked and restored my system to the last known good configuration. The only thing I've noticed not running correctly is my Help and Support. Any ideas as to why the extra administrator account would appear like that? I tried doing a web search for PE_C_ADMINISTRATOR and all I could come up with were entries in people's scans trying to remove malware. Not a very good sign to me. Do I have bigger problems then I am aware of? If I need to post in another forum, let me know and I can do that with a link back to this post.
Thanks!

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 21 June 2008 - 07:11 AM

Thanks for your response, since some time has passed and malware changes, plus you have made changes, I can't really say anything until I get information. That all starts with the information I requested in my first post to your topic.

If you have not resolved these issues, turn off Selective Startup in MSConfig and create a new HJT log (not DSS at this time) and post it using Add Reply, You can return to SS without a reboot.
I would be glad to take a look.

Please don't attach files unless I request them that way.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 bsosbe

bsosbe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Indiana
  • Local time:08:21 PM

Posted 21 June 2008 - 08:57 AM

Hi Phil,

I apologize for not following your instructions. Here is the new HJT log after changing to normal startup in MSConfig.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:02 AM, on 6/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\PC Defender\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\PCDEFE~1\backweb\989252\Program\SERVIC~1.EXE
C:\Program Files\PC Defender\Anti-Virus\fsgk32st.exe
C:\Program Files\PC Defender\backweb\989252\program\fsbwsys.exe
C:\Program Files\PC Defender\Anti-Virus\FSGK32.EXE
C:\Program Files\PC Defender\Common\FSMA32.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PC Defender\Common\FSMB32.EXE
C:\Program Files\PC Defender\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Defender\backweb\989252\Program\fspex.exe
C:\Program Files\PC Defender\Common\FCH32.EXE
C:\Program Files\PC Defender\Common\FAMEH32.EXE
C:\Program Files\PC Defender\Anti-Virus\fsqh.exe
C:\Program Files\PC Defender\Anti-Virus\fsrw.exe
C:\Program Files\PC Defender\FSPC\fspc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Defender\Anti-Virus\fsav32.exe
C:\Program Files\PC Defender\FWES\Program\fsdfwd.exe
C:\PROGRA~1\PCDEFE~1\ANTI-S~1\fsaw.exe
C:\Program Files\PC Defender\FSGUI\fsguidll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\PC Defender\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\PC Defender\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\PC Defender\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PC Defender.lnk = C:\Program Files\PC Defender\backweb\989252\Program\fspex.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\PC Defender\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Defender\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Defender\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Defender\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Defender\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Defender\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: PC Defender (BackWeb Plug-in - 989252) - TDS - C:\PROGRA~1\PCDEFE~1\backweb\989252\Program\SERVIC~1.EXE
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - (no file)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\PC Defender\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\PC Defender\backweb\989252\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\PC Defender\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\PC Defender\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\PC Defender\Common\FSMA32.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10217 bytes

#6 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 21 June 2008 - 09:14 AM

No problem, you can also return to Selective Startup now that I have seen MSConfig in Normal Mode, to save your resources if you have not done so.

I am not seeing any malware in this HJT log. How is PC Defender working for you? I am not familiar with the program? Is it from F-Secure? (with whom I am familiar)

Since I am seeing no malware, why don't you ask your Windows XP questions here:
http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Let's run a good malware scan to see if it spots anything:

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 bsosbe

bsosbe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Indiana
  • Local time:08:21 PM

Posted 21 June 2008 - 10:42 AM

I've been using PC Defender for about a year now. Yes, PC Defender is from F-Secure. It's a package containing AV, FW, Popup blocker, Spam Blocker and a Web Filter and is offered by my ISP. IMO, it is not very user friendly.

It seemed to be working great until the middle of May when I started getting popups and my computer slowed down. I left my computer off for about a week and a half before I started with the virus/malware scans. And that's when I posted here because I wasn't sure where to go from there.


Here is the MBAM log:

Malwarebytes' Anti-Malware 1.18
Database version: 874

11:01:56 AM 6/21/2008
mbam-log-6-21-2008 (11-01-56).txt

Scan type: Full Scan (C:\|D:\|L:\|)
Objects scanned: 127048
Time elapsed: 33 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Owner\Local Settings\Temp\services.chw (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


I currently have a system control change from PC Defender asking me if I want to allow or block the change to system control.

It says System Control has noticed an attempt to associate .reg files with regedit..exe "%1" %* application.

I believe this is due to MBAM removing the services.chw file but I would like to make sure.

Thanks!

#8 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 21 June 2008 - 11:12 AM

I think you are right, allow it. I tried to get information but nothing is available. Unlikely the file is needed and it is in MBAM quarantine if it is.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 bsosbe

bsosbe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Indiana
  • Local time:08:21 PM

Posted 21 June 2008 - 11:31 AM

Thunderstorms + DSL Modems = UGH!!

OK, I allowed the change and will make a post in the forum you recommended for Windows XP questions.

Thanks for your help!

#10 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 21 June 2008 - 11:56 AM

I'm in Central Florida on Verizon DSL and storms are moving through here. I have been out a couple of time this morning. This is what I use.

http://www.cyberpowersystems.com/products/...surge/1080.html
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users