Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This report, Can't seem to get rid of "something"


  • Please log in to reply
12 replies to this topic

#1 C*stag

C*stag

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 06 July 2009 - 10:09 AM

I finally did a HiJack this scan after scanning with Panda and MalwareBytes. There is a trojan that supposedly gets "cleaned" but is there every time Panda scans. It's "Banker" something or other. And NOW I keep getting a weird "jittering" when I try to open a program or click on something with my mouse. The screen "jitters"
I know there is "something" on my PC. My husband normally is not allowed on it because I need it for work, but his got so gunked up with viruses, trojans, etc... he had to have someone who really knew what they were doing reformat it. He's not very careful where he clicks and I'm afraid I'm infected now. How do I make my PC better now that my husband has played fast and loose with it?

Here is the report....what next?? Any help would be greatly appreciated...and any suggestions on how to keep my husband off of my PC would be welcome as well! Thanks in advance!

EDITED TO ADD: I have done some more looking, and it seems whatever it is I have, has something to do with my mouse and/or enter. If I click on something once, it is like I clicked on it 300 or 400 times and tons of processes open up or tons of enters appear on a document. I have been futzing with this, and it seems to only happen the first 15-20 minutes after I start up the PC. It's REALLY strange and I REALLY need my PC well, so please don't pass me by!! I'm a damsel in distress! :thumbup2:

EDITED AGAIN: I installed Avira and it has found TR/Swizzor.A.97 I have not found any info on it and the only site with it listed was in Chinese.

EDITED AGAIN AGAIN: Not sure if this is pertinent, but I thought I would add that Avira had gotten rid of the problem, until another restart, like before one click registers as hundreds, and Control-alt-delete does nothing, even when the clicking problem subsides (like right now). And it said something about my Virtual Memory being too low and it was going to increase it...that is a little troubling to me. Sorry for all of the edits, but I know I am not supposed to bump this and I want as much information on here as possible when someone gets to me. =-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:21 AM, on 7/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-324411396-989792748-1351325880-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {819F4767-7EFB-11D2-B7D1-0000F67E39D0} (WrkTimes.ctlWorkTimes) - https://ptaweb.state.wi.us/PTAWeb/DLLs/WrkTimes.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 12924 bytes



And here is the Avira Scan:


Avira AntiVir Personal
Report file date: Monday, July 06, 2009 21:46

Scanning for 1464795 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : XXXXXXX

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 15:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 02:45:22
ANTIVIR2.VDF : 7.1.4.173 306688 Bytes 7/2/2009 02:45:25
ANTIVIR3.VDF : 7.1.4.190 280576 Bytes 7/6/2009 02:45:27
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 17:52:04
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/7/2009 02:45:42
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 17:02:01
AERDL.DLL : 8.1.2.2 438642 Bytes 7/7/2009 02:45:40
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 22:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/7/2009 02:45:38
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/7/2009 02:45:37
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/7/2009 02:45:30
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/7/2009 02:45:29
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 22:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, July 06, 2009 21:46

Starting search for hidden objects.
'62581' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hptskmgr.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'RegMech.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'AAWTray.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'avgtray.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'hphmon06.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb11.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'LogiTray.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'LVComS.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'arpwrmsg.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'WMP54Gv4.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'WLService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avgrsx.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avgwdsvc.exe' - '1' Module(s) have been scanned
Scan process 'arservice.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'AAWService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
69 processes with 69 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '89' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\WINDOWS\iwexec.exe
[DETECTION] Is the TR/Swizzor.A.97 Trojan
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\WINDOWS\iwexec.exe
[DETECTION] Is the TR/Swizzor.A.97 Trojan
[NOTE] The file was moved to '4ab7ce77.qua'!


End of the scan: Monday, July 06, 2009 23:24
Used time: 1:37:36 Hour(s)

The scan has been done completely.

11621 Scanned directories
719648 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
719646 Files not concerned
15952 Archives were scanned
1 Warnings
2 Notes
62581 Objects were scanned with rootkit scan
0 Hidden objects were found

Edited by C*stag, 07 July 2009 - 08:24 AM.


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 07 July 2009 - 08:52 PM

Hi C*stag,

I am taking on your log because of the other topic you posted here: http://www.bleepingcomputer.com/forums/t/239454/ridding-myself-of-this-evil/

We don't encourage posting more than one topic when you have a log submitted for analysis because changes can be suggested in a thread that the poster to this one may not have been aware of and any changes made to your system often changes the log and what the analysis of that log might be. Similarly, adding information to your post, whether an edit or additional posts, causes the same problem. We do like as much info as possible, so I compliment you on wanting to do a good job there, and for the most part you have, but just the fact that you have installed Antivir makes your original HJT log outdated.

I also would like to get some more in depth information. The more modern techniques malware authors use now often don't show in HijackThis.

However, as a preliminary analysis of the information you have provided--and I have looked at the log you posted last year as well--I think your problem is not malware related. The detection by AntiVir may well be a false positive or a near positive--I will need to see new logs to get a better handle on it. But it is very common for problems like you have described to be caused by Registry cleaners and I notice you do have Registry Mechanic installed. And since you do need your computer, let's try a quick fix. Please do the following:

1. Run System Restore. Choose a date before the symptoms began. From what you've posted I think you know how to do this, but if you need any help see the tutorial--Windows XP System Restore Guide. In an earlier post you said something about getting rid of malware by turning off System Restore and then turning it back on again. I hope you have not done that already as you won't have Restore Points from before the problem. Anyone who says System Restore should be turned off before malware clean up is giving you bad advice. Some very knowledgeable people and companies like Symantec do this but it creates a wrong impression and myth that SysRestore is responsible for infections. Any malware stored in SysRestore is inactive and so doesn't cause any symptoms or affect cleanup of the active malware. If there is malware there it should be purged, but after your machine is malware free and running smoothly.

2. Please post the DDS logs by following the instructions that apply to you in the Preparation Guide For Use Before Posting... Don't forget the attachment. :thumbup2:

3. Let me know of any changes you have made since your last post and if you have any questions please ask. Also how the SysRestore worked out for you. I will get back to you as soon as I can when I have seen the logs I've asked for.

The thing about people

is they change

when they walk away.--Mipso


#3 C*stag

C*stag
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 08 July 2009 - 12:11 AM

YAY!!! Thank you for getting back to me. I guess I have done a few bad things, I just added the registry editor thing last week because of the other trojan found on my PC by Panda and some site mentioned it. I know, dumb move! I just found your reply now as I was just about to go to sleep. I will do all of those things as soon as I get a chance tomorrow. (I have little kids, so that may take a bit longer than it might...but I will have it done tomorrow!) And sorry about the changes I made since I posted. I was kind of afraid I should not be doing all of that, but I was getting desperate!
I just wanted to get this reply in here so you know that I am still here and looking for some help. I want to make sure everything is 100% gone. Thanks again and I'll be back some time tomorrow! :thumbup2:

#4 C*stag

C*stag
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 08 July 2009 - 12:45 PM

Ok, I am almost 100% sure I am to do the restore BEFORE the scan, I just want to make sure so I don't do the wrong thing. I am thinking of restoring it to about one month ago. Does that sound like a good idea?

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 08 July 2009 - 01:06 PM

Yes, I do want you to follow the instructions in the order given, so doing a System Restore is the first step. With luck it will resolve the main problem.

No, going back a month is not a good idea unless it is necessary. You want to go back in as short an amount of time as possible. Determine as best you can when the problem started and then Restore to the day or two before that. This is because there are side effects to using System Restore. Any software you have installed after the date you restore to will be uninstalled, including Windows updates. It also means your Antivirus definitions will be out of date. So the less amount of time you have to go back the less amount of reinstalling you will have to do.

You seem to indicate that the problems began after your husband used your computer. So if that's true and you remember what day that was, go back to just before he used it. Or if it began after a Registry Mechanic scan and "fix", go back to the day before that.

Just use your best judgment and then let me know how it goes.

The thing about people

is they change

when they walk away.--Mipso


#6 C*stag

C*stag
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 08 July 2009 - 10:49 PM

I tried four different dates in June (he started using it in June) and ALL of them came up as incomplete restores and I was asked to choose a different date. I am not sure if I am doing something wrong...

ALL of them had restore points, and I did notice something called software distribution 3.0 as a restore point on some dates (none on the dates I chose) but I've never even heard of anything like that before. Is there something else I should be doing to make the restore work??? Sorry it took so long to get back to you, I had to wait until the urchins were in bed so I could give this my full attention. Thank you again for all of your help, you are truly awesome!

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 08 July 2009 - 11:15 PM

I'm afraid your System Restore is probably corrupted. You have been running AVG, which will quarantine infected Restore points, but when that happens SysRestore gets corrupted--at least temporarily. Other programs can do this also, don't know for sure it was AVG--but we will have to try another way.

Please continue with the rest of the instructions in my first post and post the logs I've asked for and we will go from there.

BTW, the software distribution restore points are related to Windows updates--those should have been made just before updates were installed.

The thing about people

is they change

when they walk away.--Mipso


#8 C*stag

C*stag
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 08 July 2009 - 11:44 PM

Oh boy! Sounds like we're in for something a bit more "interesting," I could get upset...but I am excited to learn how to fix this, thank you!!

Edit: I forgot to mention before I got your response I updated to the new Firefox hoping it would be more secure...it was basically a last effort, even though i knew it would not help.

EDIT, EDIT: Sorry I forgot to zip it! I tried attaching the .rar and it would not let me do so, so that is why it is unzipped. Sorry!
Here are the DDS findings:


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 23:39:23.78 on Wed 07/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1309 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WebCamRT.exe]
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {819F4767-7EFB-11D2-B7D1-0000F67E39D0} - hxxps://ptaweb.state.wi.us/PTAWeb/DLLs/WrkTimes.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\tuz6slfq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search/?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search/?fr=ffds1&p=
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-28 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-15 28544]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-6 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-6 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-6 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-6 55640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [2004-9-20 6144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-07-06 21:41 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 21:41 <DIR> --d----- c:\program files\Avira
2009-07-06 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-28 15:20 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-28 14:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-28 14:28 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-20 19:39 16,832 a------- c:\windows\system32\amcompat.tlb
2009-06-20 19:39 23,392 a------- c:\windows\system32\nscompat.tlb
2009-06-20 19:21 <DIR> --d----- c:\windows\Profiles
2009-06-12 01:50 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 01:50 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-12 01:37 <DIR> --dsh--- c:\documents and settings\hp_administrator\PrivacIE
2009-06-12 01:34 <DIR> --dsh--- c:\documents and settings\hp_administrator\IETldCache

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 00:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-12 00:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 16:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 16:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 06:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-02-18 20:18 251 a------- c:\program files\wt3d.ini
2008-09-17 14:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 23:40:10.37 ===============

Attached Files


Edited by C*stag, 08 July 2009 - 11:58 PM.


#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 09 July 2009 - 12:55 AM

Hi again,

I seem to be having a problem downloading the attachment. Please copy and paste the contents into your next post instead of attaching.

It will be tomorrow before I can reach a final conclusion but it is looking more and more like this is not a malware issue. But I still need to get a better handle on the file that AntiVir found. Please run another AntiVir scan and post the log from it as well as the attached text.

One other possible easy fix. Have you run Registry Mechanic and let it "clean" your registry automatically? Please let me know and if so how many times this was done. There should have been a backup made before any fixes. If run just once, restore that backup and see if the problem goes away.

You also have Registry Mechanic set to run at startup. Is that because it is set to do some cleaning automatically? Some versions of RM have an antivirus included--so that may explain the startup. Let me know if the RM antivirus is enabled or not.

Apologies for my slowness and I hope I live up to your expectations. :thumbup2: :)

The thing about people

is they change

when they walk away.--Mipso


#10 C*stag

C*stag
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 09 July 2009 - 07:10 AM

I only ran registry mechanic once (I think I downloaded it about one week ago), I HATE THAT THING! I made some of their "fixes" and declined to purchase the "full product." I did not notice that it had an anitivirus with it as well. I was actually going to dump the whole thing, but right after I ran it a friend of mine was like "OH...those things are useless and cause more problems!" So I was afraid to dump it for fear I would make things worse. It "monitors" at start-up, which is why I guess it feels it needs to be there, I turn it off almost immediately along with Quicktime and Skype. I have taken Media Player 11 out, that is around the time my husband started messing with my PC, just prior to that actually. Around the time I first posted, I had run Avira a couple of times when I first got it. It found the trojan I mentioned, then it found it again and quarantined it again. I will attach it, but since then it has scanned clean. In the meantime, here is the "attachment." And you are not slow what-so-ever, in fact, you have been a great help! Thank you!

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/6/2006 6:41:48 PM
System Uptime: 7/8/2009 10:41:39 PM (1 hours ago)

Motherboard: MSI | | AMETHYST-M
Processor: AMD Athlon™ 64 Processor 3800+ | Socket 939 | 2387/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 164.521 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 1.133 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP704: 4/9/2009 7:26:28 PM - System Checkpoint
RP705: 4/10/2009 8:13:43 PM - System Checkpoint
RP706: 4/13/2009 12:37:43 PM - System Checkpoint
RP707: 4/14/2009 1:08:21 PM - System Checkpoint
RP708: 4/15/2009 2:40:14 PM - Avg8 Update
RP709: 4/16/2009 11:56:55 AM - Software Distribution Service 3.0
RP710: 4/17/2009 1:33:25 PM - System Checkpoint
RP711: 4/18/2009 8:40:01 PM - System Checkpoint
RP712: 4/20/2009 4:06:47 PM - System Checkpoint
RP713: 4/21/2009 4:19:58 PM - System Checkpoint
RP714: 4/22/2009 6:22:18 PM - System Checkpoint
RP715: 4/23/2009 11:55:20 AM - Avg8 Update
RP716: 4/23/2009 11:56:19 AM - Avg8 Update
RP717: 4/26/2009 9:56:47 AM - System Checkpoint
RP718: 4/27/2009 10:10:14 AM - System Checkpoint
RP719: 4/29/2009 11:47:18 AM - System Checkpoint
RP720: 4/30/2009 3:00:18 AM - Software Distribution Service 3.0
RP721: 4/30/2009 11:52:48 AM - Installed Java™ 6 Update 13
RP722: 5/1/2009 12:00:11 PM - System Checkpoint
RP723: 5/2/2009 9:49:52 AM - Avg8 Update
RP724: 5/2/2009 9:50:59 AM - Avg8 Update
RP725: 5/3/2009 10:24:38 AM - System Checkpoint
RP726: 5/4/2009 8:33:03 PM - System Checkpoint
RP727: 5/6/2009 4:13:26 PM - System Checkpoint
RP728: 5/7/2009 9:43:51 PM - System Checkpoint
RP729: 5/9/2009 10:30:11 AM - System Checkpoint
RP730: 5/11/2009 6:03:31 PM - System Checkpoint
RP731: 5/12/2009 1:07:54 PM - Avg8 Update
RP732: 5/12/2009 9:41:00 PM - Software Distribution Service 3.0
RP733: 5/15/2009 11:51:18 AM - System Checkpoint
RP734: 5/16/2009 2:35:37 PM - System Checkpoint
RP735: 5/17/2009 8:12:53 PM - System Checkpoint
RP736: 5/19/2009 9:57:17 AM - Avg8 Update
RP737: 5/19/2009 9:58:05 AM - Avg8 Update
RP738: 5/20/2009 10:05:56 AM - System Checkpoint
RP739: 5/22/2009 11:00:10 AM - System Checkpoint
RP740: 5/23/2009 12:24:15 PM - System Checkpoint
RP741: 5/24/2009 4:34:59 PM - System Checkpoint
RP742: 5/28/2009 1:29:14 PM - System Checkpoint
RP743: 5/29/2009 7:31:16 PM - System Checkpoint
RP744: 5/30/2009 9:04:52 PM - System Checkpoint
RP745: 6/2/2009 12:40:40 PM - Installed QuickTime
RP746: 6/3/2009 8:10:02 PM - System Checkpoint
RP747: 6/5/2009 12:46:56 PM - Software Distribution Service 3.0
RP748: 6/12/2009 2:49:35 AM - Software Distribution Service 3.0
RP749: 6/14/2009 2:00:02 PM - Installed Java™ 6 Update 14
RP750: 6/16/2009 10:07:05 AM - System Checkpoint
RP751: 6/17/2009 3:34:23 PM - System Checkpoint
RP752: 6/17/2009 3:39:56 PM - Installed Windows Media Player 11
RP753: 6/17/2009 3:41:28 PM - Installed Windows XP MSCompPackV1.
RP754: 6/19/2009 9:37:02 AM - System Checkpoint
RP755: 6/20/2009 3:41:54 PM - System Checkpoint
RP756: 6/21/2009 8:20:05 PM - Software Distribution Service 3.0
RP757: 6/23/2009 3:09:53 PM - System Checkpoint
RP758: 6/24/2009 3:55:57 PM - System Checkpoint
RP759: 6/25/2009 3:56:42 PM - System Checkpoint
RP760: 6/28/2009 9:44:28 AM - System Checkpoint
RP761: 6/29/2009 1:18:36 PM - System Checkpoint
RP762: 6/30/2009 2:29:30 PM - System Checkpoint
RP763: 7/1/2009 10:32:54 AM - Avg8 Update
RP764: 7/1/2009 10:34:08 AM - Avg8 Update
RP765: 7/2/2009 1:43:18 PM - System Checkpoint
RP766: 7/6/2009 11:03:30 AM - System Checkpoint
RP767: 7/6/2009 9:38:30 PM - Avira AntiVir Personal - 7/6/2009 21:38
RP768: 7/6/2009 11:41:30 PM - Removed AVG 8.5
RP769: 7/6/2009 11:42:38 PM - Installed AVG 8.5
RP770: 7/8/2009 5:07:29 PM - System Checkpoint
RP771: 7/8/2009 10:28:49 PM - Restore Operation
RP772: 7/8/2009 10:33:04 PM - Restore Operation
RP773: 7/8/2009 10:37:57 PM - Restore Operation
RP774: 7/8/2009 10:42:30 PM - Restore Operation

==== Installed Programs ======================

5 Card Slingo from HP Media Center (remove only)
Ad-Aware
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.5
Adobe Shockwave Player
Agere Systems PCI-SV92PP Soft Modem
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
Apple Mobile Device Support
Apple Software Update
AstroPop Deluxe from HP Media Center (remove only)
ATI Control Panel
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Barnyard Invasion from HP Media Center (remove only)
Beginning Medical Transcription Version 2.1
Beginning Medical Transcription Version 2nd edition version 1.1
Bejeweled 2 Deluxe from HP Media Center (remove only)
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bonjour
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
BufferChm
CameraDrivers
Choice Guard
Chuzzle Deluxe from HP Media Center (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_LightScribePlugin
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Critical Update for Windows Media Player 11 (KB959772)
Crystal Maze from HP Media Center (remove only)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DocProc
DocumentViewer
DocumentViewerQFolder
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
EQ2MAP Updater 1.2.3
EverQuest II
EverQuest II: Desert of Flames
EverQuest II: Kingdom of Sky
Express Scribe
Family Feud
FATE from HP Media Center (remove only)
Fax
Fax_CDA
Flickr Uploadr 3.0.5
flump
GdiplusUpgrade
GemMaster Mystic
getPlusŪ_ocx
Greeting Card Factory Express
GTK+ 2.10.6-1 runtime environment
Guild Wars
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPHDiscovery
HPProductAssistant
HpSdpAppCoreApp
Insaniquarium Deluxe from HP Media Center (remove only)
InstantShareDevices
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 14
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Junk Mail filter update
KB408682
Lemonade Tycoon 2 from HP Media Center (remove only)
Lexibox Deluxe from HP Media Center (remove only)
LightScribe 1.4.52.1
Linksys Wireless-G PCI Adapter
Logitech ImageStudio
Magellan RoadMate Manager North America
Mah Jong Quest from HP Media Center (remove only)
Malwarebytes' Anti-Malware
Medical Transcription Fundamentals (Shared Components)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Away Mode
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.5)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MT Skill Builders Cardiology v1.0
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
NCH Toolbox
neroxml
NewCopy
NewCopy_CDA
NVIDIA Drivers
Otto
overland
Panda ActiveScan 2.0
PanoStandAlone
PC-Doctor 5 for Windows
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
Picasa 2
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
PS8100
PSPrinters06
PSPrinters08
PSTAPlugin
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quick Look Electronic Drug Reference 2007
Quick Look Electronic Drug Reference 2007 (Shared Components)
Quicken 2006
QuickTime
RandMap
Readme
Ready Reference Bookshelf
RealPlayer
Registry Mechanic 8.0
Remove IntelliMover Demo
Rhapsody Player Engine
Ricochet Lost Worlds from HP Media Center (remove only)
Scan
ScannerCopy
SCRABBLE from HP Media Center (remove only)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Segoe UI
Shooting Stars Pool from HP Media Center (remove only)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
SkinsHP1
Skype 2.0
Slingo Deluxe from HP Media Center (remove only)
Snowboard SuperJam from HP Media Center (remove only)
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Status
Stedman's Medical Transcription Skill Builders: Creating Cardio (Shared Components)
Stedman's Medical Transcription Skill Builders: Creating Surgic (Shared Components)
Stedman's MT Skill Builders: Creating Surgical Reports v1.0
Stedman's Plus Spellchecker 2005 Bonus Edition (Shared Components)
Super Granny from HP Media Center (remove only)
TC Web Conferencing
The AAMT Book of Style Student Workbook (Shared Components)
The GIMP 2.2.13
Tradewinds from HP Media Center (remove only)
TrayApp
Trillian
Unload
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Install Manager
Yahoo! Messenger
Zuma Deluxe from HP Media Center (remove only)

==== Event Viewer Messages From Past Week ========

7/7/2009 2:22:42 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 11 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 10:38:02 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 10:35:51 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 10:34:31 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 10:34:11 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
7/7/2009 1:58:47 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 10 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 1:56:18 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 9 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 1:51:53 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 1:39:38 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 7 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 1:35:54 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 6 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 1:29:23 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/7/2009 1:26:46 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/5/2009 10:11:17 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

Attached Files


Edited by C*stag, 09 July 2009 - 07:26 AM.


#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 09 July 2009 - 11:18 AM

Well, you are very kind and you are welcome for the help. But don't ever doubt that I am slow. That doesn't mean that I can't give good help, just that it takes me longer than most.

I am going to be a bit further delayed because I have to take my mother to the dentist for some emergency work, so I won't have time to post all that I had in mind for you to do. Let's just try this.

1. Reverse the changes made by RM. Quoting their website, here's how:
Restore registry changes.

The changes that Registry Mechanic makes to your registry file are fully reversible. Registry Mechanic automatically creates a backup every time you click 'Repair'.


Restore Changes:

1. Open Registry Mechanic
2. Click the 'Restore' button in the main program window
3. A list of backup files is displayed along with the date and time of their creation. Place a check in each backup that you wish to restore, and then click the 'Restore' button.
4. When the restore is complete, click 'Finished' to return to the main program window

Note that you may be required to re-start your system to activate the newly-restored keys in your registry file.

http://www.pctools.com/contact/support/pro...istry-mechanic/

2. Disable RM from Autostarting.
Startup preferences.

When Registry Mechanic is installed, by default the startup feature is disabled.

You can change this startup option to 'Full Scan' or 'Disabled' according to your own personal preference.

1. Open Registry Mechanic
2. Click on 'Options'
3. Click on 'Settings'
4. Under General, in the 'Startup & Language' section of the window, change the 'Automatic Startup' option as desired
5. Click 'Save' button and 'OK' to save changes

Set it to disabled and reboot. Are there any other options here besides Full Scan and disabled? If so list them for me.

3. Run your computer for a while and see if you still have the same issues.

4. Scan again with HijackThis and post a new log. It will be some time this evening before I can get back to you.

5. (As an after-thought) Right click on My Computer and chose Properties and post back to me how much RAM you have installed.

The thing about people

is they change

when they walk away.--Mipso


#12 C*stag

C*stag
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 09 July 2009 - 11:36 AM

I am so sorry to hear about your mother's teeth! I hope that all goes well! Thank you for taking the time to reply at all! It must be a rushed day!

Did 1 &2 besides a full scan and disabled, there are "Send to tray and custom scan"

The other things I will do later as we are having a naptime problem here on my end! LOL! Thanks again!

EDIT:
Got the naptime issue solved. =-) The PC has 239 GHz, 2.00 RAM

Before I restarted the PC it was sort of clicking on things even if I just moused over them. It seems to have stopped that now. It might sound "strange" but the box "sounds" different to me. I mean before and after the restore of the registry things, the humming on the inside of the PC sounds different. I am sure I am just imagining it, but I thought I would mention it, just in case. Off to Scan with HiJackThis, I will post the edit here.

EDIT EDIT: Attaching.

Attached Files


Edited by C*stag, 09 July 2009 - 11:55 AM.


#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 10 July 2009 - 08:23 AM

Thanks much for your concern--my mother got her irritating problem fixed in short order so we're good there. :thumbup2: Unfortunately, I had a bit of a headache last night so had to delay posting once more.

Before I restarted the PC it was sort of clicking on things even if I just moused over them. It seems to have stopped that now. It might sound "strange" but the box "sounds" different to me.

OK, good. This was the main issue wasn't it? From what you described earlier it sounds as if somehow you got stuck in a loop where programs were constantly opening, which would overload your RAM memory--that's why you were getting the message that your virtual memory was being increased as Windows memory management will do that--use your hard drive in place of RAM when memory gets low. The 239 GHz is your CPU spec--2.00 might be RAM if it's 2 GB--can you confirm that? It is not all that important since, in that situation, all your RAM will get used up no matter how much you have.

There is a good possibility that the problem was caused by a combination of software installed on your system instead of perhaps RM by itself. Spybot S&D's TeaTimer and Ad-Aware's Adwatch both monitor and restrict changes to the registry. It could be that they were fighting with RM when the latter wanted to clean the registry. AdWatch can be especially stubborn about causing such problems--there have been times that it was necessary to completely uninstall it to clean up malware infections in logs I have worked on or observed in the past. Really it is not a good idea to have both installed at once--I use neither as I don't think they are really necessary and they take up system resources; and I recommend against TeaTimer especially because it just causes more problems and confusion for those that don't have enough knowledge of the registry to know when to allow changes to it or not. It is your choice, but if you want to disable TeaTimer, see the instructions in the following topic--and please follow only the instructions for disabling and resetting TeaTimer:
http://www.bleepingcomputer.com/forums/ind...t&p=1331761

I think the other issue was that you thought you were infected--because of the constant loading of programs and what AntiVir found, correct? Good news here as well. The file AntiVir found is definitely a false positive. It is part of TC Web Conferencing software that your log shows is installed on your system.
http://tc-web-conferencing.software.informer.com/
http://www.siteadvisor.com/sites/conferenc...nloads/8592028/

Do you use this software? If so, for it to work properly, you will need to go to AntiVir quarantine and restore the file c:\windows\iwexec.exe to its original location and then report it to Avira as a false positive and/or tell AntiVir to ignore that file. If this is what you want to do let me know and I will post instructions. If you aren't using it, I suggest that you uninstall it--the same company uses that same file in a surveillance software--basically a keylogger and probably why it was flagged--known as NetPatrol. I wouldn't have something on my system with those capabilities unless it is needed, even tho there are legitimate uses for keyloggers.

Your HijackThis log shows some leftover/orphan reg entries from an apparent previous install of Norton antivirus and the firefox plugin for AVG's Linkscanner. Just about every antivirus now has a removal tool--they are hard to uninstall because they must protect themselves against malware shutting them down. So I suggest you run Norton's and also AVG's. You can find the uninstallers from the following list: http://www.raymond.cc/blog/archives/2009/0...ware/#more-2878

In any event to clean up those orphans please do the following:

Scan again with HijackThis and put a checkmark next to the following entries:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)


Close all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

You also have some outdated versions of Java and Adobe Reader still installed. Please go to Add/Remove via your Control Panel and uninstall all versions of Java except 6 update 14. Java allows previous versions to be called on and so some holes that are patched in later versions can be exploited by malware.

Adobe Reader can also be exploited and has been recently. The latest version is 9, so I suggest you uninstall 5 and 8.1.5 and install 9. It may be easier to run Secunia's Online Software Inspector and follow the instructions for upgrading there after the scan is run.
http://secunia.com/vulnerability_scanning/online/

And now that you don't need Registry Mechanic's backups, I suggest uninstalling it as well.

When done please post a new HijackThis log, let me know how it all goes and answer the questions I've asked of you. I have one more task for you to do, but it will have to wait til next time. One last question--do you plan on keeping AntiVir?

Edited by Papakid, 10 July 2009 - 08:44 PM.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users