Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with malware


  • This topic is locked This topic is locked
1 reply to this topic

#1 bbgeek

bbgeek

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 15 February 2009 - 01:51 PM

When I login, the following happens:

UTool - encounters a problem and needs to close
NT Multiple Provider Notification - Data Execution Prevention
Userinit Logon Application - Data Execution Prevention

Registry editing has been disabled (I was always able to edit it before).

here's my HJT log: (Thanks in advance!)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:54 AM, on 2009-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\sygate\ssa\syg_hp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\DOCUME~1\kaco\LOCALS~1\Temp\winlognn.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\kaco\LOCALS~1\Temp\sv5jq5f6n8jd.exe
C:\DOCUME~1\kaco\LOCALS~1\Temp\rqj58509me.exe
C:\DOCUME~1\kaco\LOCALS~1\Temp\g3x9hs3uvlov.exe
C:\kurt\spyware\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

web-proxy.corp.hp.com:8088
O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} -

C:\WINDOWS\system32\hs78344kjkfd.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SSA\smc.exe" -startgui
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless

Assistant.exe"
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe"

/Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [08fada21] rundll32.exe "C:\WINDOWS\system32\rnenobes.dll",b
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\kaco\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [DeskTopSrv] C:\WINDOWS\system32\grcrt.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\kaco\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [Microsoft Windows Automatic Update]

C:\RECYCLER\S-1-5-21-6212264609-2543240198-335255583-1178\mwau.exe
O4 - HKCU\..\Run: [wj2zwrfsh1q77cqnpb7iu] C:\DOCUME~1\kaco\LOCALS~1\Temp\qzvcd4.exe
O4 - HKCU\..\Run: [ped4zozg5albh3es] C:\DOCUME~1\kaco\LOCALS~1\Temp\oeynkqqfj8cf.exe
O4 - HKCU\..\Run: [vod85g49y2cjosdvsw654rxr7j5l36bim4yxkrvluzeee]

C:\DOCUME~1\kaco\LOCALS~1\Temp\ymumcagvglx.exe
O4 - HKCU\..\Run: [t86pxdksx0tcxr1502qpmy] C:\DOCUME~1\kaco\LOCALS~1\Temp\l8vx9u6j9iv.exe
O4 - HKCU\..\Run: [ig43kxkh3cxm9kzbxslmvuvxe38jya0uumibqisz7k]

C:\DOCUME~1\kaco\LOCALS~1\Temp\t6jmjg8ev.exe
O4 - HKCU\..\Run: [ul1ejo2adyaa6cow7h71xsvr28gmy] C:\DOCUME~1\kaco\LOCALS~1\Temp\nc4w94cfbne.exe
O4 - HKCU\..\Run: [zsulfb58q63dyghxwkt2c7fftt] C:\DOCUME~1\kaco\LOCALS~1\Temp\sv5jq5f6n8jd.exe
O4 - HKCU\..\Run: [ajyrpl3u6apzw7tchjug2ivm49p982g5kx] C:\DOCUME~1\kaco\LOCALS~1\Temp\rqj58509me.exe
O4 - HKCU\..\Run: [x8hmg8d294zj88k03oquy3szbil96v3r5ezpeo2w7zpp]

C:\DOCUME~1\kaco\LOCALS~1\Temp\g3x9hs3uvlov.exe
O4 - HKCU\..\Run: [zit6ek1t54ohznzn7] C:\DOCUME~1\kaco\LOCALS~1\Temp\ej0e2auiey.exe
O4 - HKCU\..\Run: [tyulnm2899dcomjgplyvvkog457m939m7i5zrrsb94qqlnx]

C:\DOCUME~1\kaco\LOCALS~1\Temp\ct5careaf7z.exe
O4 - HKCU\..\Run: [u2clrg4o7hh44mrgma27d5w9po66ovjdxezjjzv8equm]

C:\DOCUME~1\kaco\LOCALS~1\Temp\tweibxxk41hu.exe
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe

C:\WINDOWS\xccdf16_090131a.dll xccd16
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program

Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program

Files\FlashCapture\fciext.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) -

https://vincaspro.cce.cpqcorp.net/cpqtraqipo/Exect/smsx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupd...cab?12089083484

68
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://vmware.webex.com/client/T26L/training/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B9C5CEC-E587-48AE-AB65-F540012B107F}: NameServer =

151.197.0.39,151.197.0.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{B116C73E-0986-4996-B6E9-3C24DFC844F1}: NameServer =

151.197.0.39,151.197.0.38
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O20 - AppInit_DLLs: suohbg.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} -

C:\WINDOWS\system32\hs78344kjkfd.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program

Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company -

C:\PROGRA~1\sygate\ssa\syg_hp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -

Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program

Files\Sygate\SSA\maga\maga.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PictureTaker - LANovation - C:\\system32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program

Files\Sygate\SSA\smc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program

Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Usb Service 2.0 - UToo - C:\WINDOWS\usbservice.exe

--
End of file - 10320 bytes

Edited by bbgeek, 15 February 2009 - 04:18 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:13 AM

Posted 21 February 2009 - 11:36 AM

Hi bbgeek. Just replying to this to get it out of the unanswered list. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users