Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bugnraw Infection


  • This topic is locked This topic is locked
29 replies to this topic

#1 alpenview

alpenview

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 13 August 2008 - 04:45 PM

This is the HJT log. I've run all the other previous suggestions. Housecall didn't find anything but I could not write a log as presumably CA antivirus is quarantining me for trying to put a virus on the system during the scan. Other relevant info is in the "I'm infected" forum>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:26 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
E:\Program Files\CA\eTrust Antivirus\inoweb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\system32\ppRemoteService.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
E:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe
E:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\C0130Mon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\User Data\gkaiser\hijackthis\HijackThis.exe

O1 - Hosts: HP79701D HP0017a479701d
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [IntelWireless] E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ACT_APL] "E:\Program Files\ACT_APL.exe"
O4 - HKLM\..\Run: [masqform.exe] E:\Program Files\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~2\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [C0130Mon.exe] C:\WINDOWS\C0130Mon.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [updateMgr] "E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2118672066-608312568-3473557-3852\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2118672066-608312568-3473557-4961\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = E:\Program Files\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
O8 - Extra context menu item: Append to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Create PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF file from the content of the link - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF files from the selected links - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217983812841
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\Software\..\Telephony: DomainName = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: eTrust Antivirus Web Access Server (Inoweb) - Unknown owner - E:\Program Files\CA\eTrust Antivirus\inoweb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\WINDOWS\system32\ppRemoteService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: WLANKEEPER - Intel® Corporation - E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13624 bytes

Alpenview

Edited by alpenview, 13 August 2008 - 05:16 PM.


BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 22 August 2008 - 09:24 AM

Hello, alpenview.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to run OTScanIt
Before running a new scan let's clean out the temporary folders.
Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • In the Rootkit Search area select Yes
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Disabled MS Config Items
      Reg - File Associations
      Reg - Uninstall List
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 24 August 2008 - 06:56 PM

Hi Billy,

I tried to use the ATF cleaner as instructed but for some reason the "firefox" button was grayed out. I downloaded the file a second time but had the same issue. The first attempt did delete some files.

Additionally when I booted my computer today (prior to taking the above action) I got a warning from AVG that said:
Trojan Horse Dropper. Agent. JOC detected upon open.
C:Programfiles\common files\installshield\engine\6\intel 3\knlwrap.exe.
Process Name: E:\Program files\CA\etrust antivirus\inort.exe
Process id 1664.

I realize I probably should not be running two separate antivirus programs, but I got suspicious of the CA program when I couldn't delete it when logged in as an admin. Consequently I'm not sure if this is one program detecting the other of if an additional problem has occurred.

When I instructed AVG to heal the problem, it tried to address 10 separate instances but in all cases it said the file couldn't be found. I didn't write the file locations down, but it seemed to me that perhaps all 10 files referenced the same location.

I tried to upload the OTscan file but got an error message that it was bigger than the allotted 512k bytes. My system lists it as being 946KB.

Thanks for the help.

Alpenview

Edited by alpenview, 24 August 2008 - 06:57 PM.


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 24 August 2008 - 10:41 PM

Alright.. you're not the first person who has had problems with OTSI lately... I think I'm going to discontinue use of that particular tool now :thumbsup:

Please post a fresh HJT log :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 25 August 2008 - 10:28 AM

Here is a fresh HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:12 AM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
E:\Program Files\CA\eTrust Antivirus\inoweb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\system32\ppRemoteService.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
E:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe
E:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\C0130Mon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Digital Imaging\bin\hpqtra08.exe
E:\Program Files\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Program Files\thunderbird.exe
C:\WINDOWS\system32\HPZinw12.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\User Data\gkaiser\hijackthis\HijackThis.exe

O1 - Hosts: HP79701D HP0017a479701d
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [IntelWireless] E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ACT_APL] "E:\Program Files\ACT_APL.exe"
O4 - HKLM\..\Run: [masqform.exe] E:\Program Files\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [C0130Mon.exe] C:\WINDOWS\C0130Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = E:\Program Files\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
O8 - Extra context menu item: Append to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Create PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF file from the content of the link - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF files from the selected links - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217983812841
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\Software\..\Telephony: DomainName = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: eTrust Antivirus Web Access Server (Inoweb) - Unknown owner - E:\Program Files\CA\eTrust Antivirus\inoweb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\WINDOWS\system32\ppRemoteService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: WLANKEEPER - Intel® Corporation - E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 12968 bytes

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 25 August 2008 - 01:04 PM

Hello, alpenview.
We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/t/163130/bugnraw-infection/
  • Where it says "Browse to the file you want to submit", copy and paste in
    C:\WINDOWS\C0130Mon.exe
  • Press the Posted Image button.
We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/t/163130/bugnraw-infection/
  • Where it says "Browse to the file you want to submit", copy and paste in
    E:\Program Files\masqform.exe
  • Press the Posted Image button.
We need to repair your Hosts file
  • Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

We need to move some files
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\AskSBar
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5233FCD-D258-4903-89B8-FB1568E7413D}
    HKEY_CLASSES_ROOT\CLSID\{D5233FCD-D258-4903-89B8-FB1568E7413D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}
    HKEY_CLASSES_ROOT\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}
    HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\AutorunsDisabled
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

In your next reply, please include the following:
  • OTMoveIt2's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 26 August 2008 - 07:10 PM

Billy,

I have uploaded the two files. Also following are the move it log and a hijack this log. I did not perform the host restore operation. I will clarify this in a PM.

Move it log:

C:\Program Files\AskSBar\bar\Settings moved successfully.
Folder move failed. C:\Program Files\AskSBar\bar\History scheduled to be moved on reboot.
C:\Program Files\AskSBar\bar\Cache moved successfully.
Folder move failed. C:\Program Files\AskSBar\bar\1.bin scheduled to be moved on reboot.
Folder move failed. C:\Program Files\AskSBar\bar scheduled to be moved on reboot.
Folder move failed. C:\Program Files\AskSBar scheduled to be moved on reboot.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5233FCD-D258-4903-89B8-FB1568E7413D} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5233FCD-D258-4903-89B8-FB1568E7413D}\\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{D5233FCD-D258-4903-89B8-FB1568E7413D} >
Registry key HKEY_CLASSES_ROOT\CLSID\{D5233FCD-D258-4903-89B8-FB1568E7413D}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} >
Registry key HKEY_CLASSES_ROOT\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} >
Registry key HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}\\ not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\AutorunsDisabled >
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\AutorunsDisabled\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08262008_164335

Files moved on Reboot...
C:\Program Files\AskSBar\bar\History moved successfully.
C:\Program Files\AskSBar\bar\1.bin moved successfully.
C:\Program Files\AskSBar\bar moved successfully.
C:\Program Files\AskSBar moved successfully.


Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:22 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
E:\Program Files\CA\eTrust Antivirus\inoweb.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
E:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ppRemoteService.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe
E:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\C0130Mon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Digital Imaging\bin\hpqtra08.exe
E:\Program Files\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
E:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
F:\User Data\gkaiser\hijackthis\HijackThis.exe

O1 - Hosts: HP79701D HP0017a479701d
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelWireless] E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ACT_APL] "E:\Program Files\ACT_APL.exe"
O4 - HKLM\..\Run: [masqform.exe] E:\Program Files\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [C0130Mon.exe] C:\WINDOWS\C0130Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = E:\Program Files\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
O8 - Extra context menu item: Append to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Create PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF file from the content of the link - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF files from the selected links - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217983812841
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\Software\..\Telephony: DomainName = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: eTrust Antivirus Web Access Server (Inoweb) - Unknown owner - E:\Program Files\CA\eTrust Antivirus\inoweb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\WINDOWS\system32\ppRemoteService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: WLANKEEPER - Intel® Corporation - E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12532 bytes

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 26 August 2008 - 08:50 PM

Evidence in your log (That is

O1 - Hosts: HP79701D HP0017a479701d

) indicates possible corruption of your hosts file. Please reset the default values and post a new HJT log.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 27 August 2008 - 01:04 PM

Billy,

I've tried to download the hostxpert file numerous times today with no success. I've gone directly to the funkytoad.com site but that didn't help either.

The download seems to stall with a very small amount of completion (typically less than 30%) after taking a very long time. I've let it attempt to complete a download for over 20 minutes. This is a rather small file so it shouldn't take that long. Is this typical behavior for this download, or is there something strange about my system?

Alpenview

Edited by alpenview, 27 August 2008 - 01:05 PM.


#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 27 August 2008 - 07:52 PM

Maybe it is their servers at the moment. A selection of alternate mirrors is available here:
http://www.majorgeeks.com/Hoster_d4626.html

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 29 August 2008 - 09:26 PM

Hello, alpenview.

Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 31 August 2008 - 02:43 PM

Billy,

finally had a chance to run the Hostxpert app and have run another hijack this which is posted below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:42 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
E:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\Program Files\CA\eTrust Antivirus\InoTask.exe
E:\Program Files\CA\eTrust Antivirus\inoweb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\system32\ppRemoteService.exe
E:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
E:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe
E:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\C0130Mon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
E:\Program Files\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\thunderbird.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\HPZinw12.exe
F:\User Data\gkaiser\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelWireless] E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] E:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ACT_APL] "E:\Program Files\ACT_APL.exe"
O4 - HKLM\..\Run: [masqform.exe] E:\Program Files\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [C0130Mon.exe] C:\WINDOWS\C0130Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\comodo firewall\Comodo\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "E:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = E:\Program Files\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
O8 - Extra context menu item: Append to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Create PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF file from the content of the link - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF files from the selected links - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217983812841
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\Software\..\Telephony: DomainName = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accentopto.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accentopto.com,accentopto.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - E:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\comodo firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: eTrust Antivirus Web Access Server (Inoweb) - Unknown owner - E:\Program Files\CA\eTrust Antivirus\inoweb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\WINDOWS\system32\ppRemoteService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: WLANKEEPER - Intel® Corporation - E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12451 bytes

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 31 August 2008 - 02:48 PM

Hello, alpenview.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Please let me know of any problems you may have encountered.

In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A new HJT Log

Billy3

Edited by Billy O'Neal, 31 August 2008 - 02:49 PM.
Forgot new HJT Log

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 02 September 2008 - 01:41 PM

Hi Billy,

here is the very short version of what has transpired over the last couple of days.

I tried to run the ESET scan several times but the initialization stalled. So I decided to run the MS updates, but the 700MB+ on the C drive wasn't enough. I tried to reset the partition using Partition Magic on C from a bit over 9Gb to about 14GB, but the repartitioning failed. It extracted the storage from another logical drive and then seeming created an additional drive with the amount of designated storage. I also had an error message that I lost about 50 clusters (so far I haven't had a program/ data affected by the lost clusters).

I didn't want to rerun the partition program, so I removed virtually everything I could at least temporarily live without on the C drive. This increased the free space to about 1.4 GB.

I ran the MS updates multiple of which failed to install since MS consumed all but the last 9MB (yes MB) of the C drive. I went through trying to install the remainder of the updates individually if they appeared small enough to load. The last few failed as well.

At this point the C drive has 1.5 MB on and the other drive, G:, that was created has only 19 MB (out of 4 GB).

It's not clear to me how to best recover some of the space on the C drive to complete the MS updates.

After all that I retried running ESET. It actually progressed further into the initialization but ultimately failed again.

What do you suggest I do next?

Thanks,

Alpenview

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 02 September 2008 - 08:19 PM

Hello, alpenview.
We need to clear out some temporary data.
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

We need to flush windows update's cache.
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the "Flush SoftwareDistribution" button.
  • Press "No" at the prompt.
    IMPORTANT!!!!! DO NOT PRESS ANY OTHER BUTTONS IN DIAL A FIX!!!
  • Exit/Close Dial-A-Fix
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Kaspersky's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users