Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis v2.0.2 Log Please Help


  • This topic is locked This topic is locked
9 replies to this topic

#1 Rkinsey1313

Rkinsey1313

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 30 November 2009 - 01:26 AM

As of lately my computer seems to be getting slower and slower. I believe its infected with something. Im hoping someone can read this and let me know what the verdict is. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:18 PM, on 11/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 8399 bytes

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:51 PM

Posted 30 November 2009 - 04:25 AM

Hello and welcome to Bleeping Computer ! :(

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Rkinsey1313

Rkinsey1313
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 30 November 2009 - 01:01 PM

Thanks for the prompt reply. I will try to explain the situation as best I know how. I, along with my roomates daughter and nephew, are the only people that use this computer. I pretty much use it for 1 thing. Gaming. The game I play on here is Diablo 2 lod and I dont download anything off the internet because Im not the most computer literate and I dont wanna be responsible for crashing the computer. However I believe the nephew plays flash games and downloadable games off the internet and Im almost certain that the malicious software on here is from that. It got to the point of where my roomates daughter completely restored the computer while I was at work. And that didnt have any effect. So I proceeded to roam my C drive looking up the folders and programs individually on the internet to see what was known malware and what was suspose to be there. I was able to find and delete a number of known corrupted files. It did seem to speed the computer up quite a bit but its nowhere near what it was when I first started using it and before the nephew really went to town downloading flash games. The worst part is Nortons is long past the evaluation and AVG seemed to slow the computer even more so the only protection we are using is windows firewall. :( I ended up finding this site while I was searching the individual files and seen alot about hijackthis working for people so I downloaded it and ran it. I think I missed the intial DDS step but here is the log. It also says to attach the attach file by zipping it. Ummm.. huh? Ill paste it but if you need it "zipped" I will need someone to tell me how please and thank you. Here comes the data.

DDS (Ver_09-11-29.01) - NTFSx86
Run by HP_Administrator at 9:46:38.34 on Mon 11/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.232 [GMT -8:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Documents and Settings\HP_Administrator\My Documents\Rich Bot\D2NT\D2NT Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X2741Q7\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-3-4 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-3-4 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-3-4 161392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-3-4 83568]

=============== Created Last 30 ================

2009-11-30 06:10:46 0 d-----w- c:\program files\Trend Micro
2009-11-30 02:20:04 0 d-----w- c:\windows\system32\appmgmt
2009-11-26 04:46:56 847360 ----a-w- c:\windows\system32\JS32.dll
2009-11-26 03:55:18 0 d-s---w- c:\documents and settings\hp_administrator\UserData
2009-11-26 03:53:39 0 d-sh--r- C:\cmdcons
2009-11-26 03:34:14 1854 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EL448AA-ABA a1310n_YC_0Pavi_QCNH550_E61NAemMPC1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.13_T051115_WXP2_L409_M959_J200_7AMD_8Athlon 64_92.19_#060122_N10EC8139_Z14F12F20_G10025954.MRK
2009-11-26 03:33:04 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Symantec
2009-11-26 03:33:04 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Intuit
2009-11-26 03:33:04 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Digital Interactive Systems Corporation
2009-11-26 03:28:33 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-26 03:28:33 5711081 ------w- c:\windows\Hero Editor.CAB
2009-11-26 03:28:33 1346 ----a-w- c:\windows\ST6UNST.000
2009-11-26 03:14:56 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-26 03:14:53 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-11-26 03:14:45 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-26 01:02:17 0 d-sh--r- c:\windows\system32\dllcache
2009-11-07 06:09:10 0 d-----w- c:\program files\common files\Software Update Utility
2009-11-07 04:58:21 163840 ----a-w- c:\windows\msa.exe

==================== Find3M ====================

2009-09-26 21:37:18 8192 ----a-w- C:\mtwb.dat
2009-09-03 02:08:24 76288 ----a-w- C:\J4J.exe
2007-02-03 04:42:38 22 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 9:47:34.79 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/25/2009 7:31:48 PM
System Uptime: 11/29/2009 11:50:36 AM (22 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Athlon™ 64 Processor 3700+ | Socket 939 | 984/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 178 GiB total, 138.529 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 1.117 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/25/2009 7:33:53 PM - Unsigned driver install
RP2: 11/26/2009 7:45:00 PM - System Checkpoint
RP3: 11/27/2009 8:32:33 PM - System Checkpoint
RP4: 11/28/2009 8:35:03 PM - System Checkpoint
RP5: 11/29/2009 6:19:30 PM - Removed Norton Security Center

==== Installed Programs ======================

5 Card Slingo from HP Media Center (remove only)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
AstroPop Deluxe from HP Media Center (remove only)
ATI Control Panel
ATI Display Driver
Barnyard Invasion from HP Media Center (remove only)
Bejeweled 2 Deluxe from HP Media Center (remove only)
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
BufferChm
CameraDrivers
CC_ccProxyExt
ccCommon
ccPxyCore
Chuzzle Deluxe from HP Media Center (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_LightScribePlugin
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Crystal Maze from HP Media Center (remove only)
CueTour
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
DocProc
DocumentViewer
DocumentViewerQFolder
Easy Internet Sign-up
Family Feud
FATE from HP Media Center (remove only)
Fax
Fax_CDA
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
HpSdpAppCoreApp
Insaniquarium Deluxe from HP Media Center (remove only)
InstantShareDevices
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 5
Lemonade Tycoon 2 from HP Media Center (remove only)
Lexibox Deluxe from HP Media Center (remove only)
LightScribe 1.4.52.1
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Mah Jong Quest from HP Media Center (remove only)
Microsoft .NET Framework 1.1
Microsoft Away Mode
Microsoft Money 2005
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Works
MSRedist
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
Netscape Browser (remove only)
NewCopy
NewCopy_CDA
Norton AntiSpam
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Otto
PanoStandAlone
PC-Doctor 5 for Windows
PhotoGallery
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
PS2
PSPrinters08
PSTAPlugin
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
Readme
RealPlayer
Remove IntelliMover Demo
Ricochet Lost Worlds from HP Media Center (remove only)
Scan
ScannerCopy
SCRABBLE from HP Media Center (remove only)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Shooting Stars Pool from HP Media Center (remove only)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
SkinsHP1
Slingo Deluxe from HP Media Center (remove only)
Snowboard SuperJam from HP Media Center (remove only)
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
SPBBC
Status
Super Granny from HP Media Center (remove only)
SymNet
Tradewinds from HP Media Center (remove only)
TrayApp
Unload
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
WebFldrs XP
WebReg
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908250
Zuma Deluxe from HP Media Center (remove only)

==== Event Viewer Messages From Past Week ========

11/29/2009 9:18:57 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
11/29/2009 9:18:57 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe. Reference error message: The operation completed successfully. .
11/29/2009 9:18:57 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
11/25/2009 7:34:26 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\powercfg.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.3565.0, the version of the system file is 5.1.2600.2180.

==== End Of File ===========================

Thanks for lending me your expertise as I am dumbfounded as what to do. Hopefully its not too late to save this computer. It is a nice machine and when its all cleaned up and running correctly it is flawless. Thanks you.

Edited by Rkinsey1313, 30 November 2009 - 01:06 PM.


#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:51 PM

Posted 30 November 2009 - 05:52 PM

Hello Rkinsey1313 ! :(

I am Blind Faith or Elle (it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.


I will need some time to rearch the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.
And also do not make any other changes to your system.
This will not help any of us because fixes are based on strict information I find in your logs so changing it will only complicate the situation. :(

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Rkinsey1313

Rkinsey1313
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 30 November 2009 - 07:02 PM

Hello Elle and thank you for your prompt response. I have used the link provided in your last post and educated myself on how to show my hidden folders. However I have chosen to wait until your next response to display them because I am not the only person that uses this operating system and I'm worried that an alteration may be made to a critical file without my knowing. I am tracking this topic and look forward to having 2 brains working on my situation. Thank you and I look forward to receiving your expertise.

Edited by Rkinsey1313, 30 November 2009 - 07:03 PM.


#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:51 PM

Posted 03 December 2009 - 08:05 AM

Hello, Rkinsey1313 :(



1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 Rkinsey1313

Rkinsey1313
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 03 December 2009 - 01:57 PM

Hello again Elle. I have downloaded and ran combofix. Here is the Log.


ComboFix 09-12-02.08 - HP_Administrator 12/03/2009 10:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.621 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared

.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-02 03:51 . 2009-12-02 03:51 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-12-02 03:50 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-02 03:50 . 2009-12-02 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-02 03:50 . 2009-12-02 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-02 03:50 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 06:10 . 2009-11-30 06:10 -------- d-----w- c:\program files\Trend Micro
2009-11-26 04:46 . 2008-11-02 09:06 847360 ----a-w- c:\windows\system32\JS32.dll
2009-11-26 03:55 . 2009-11-26 03:56 -------- d-s---w- c:\documents and settings\HP_Administrator\UserData
2009-11-26 03:31 . 2005-11-11 00:49 50280 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-26 03:31 . 2005-11-10 23:58 136 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2009-11-26 03:31 . 2005-11-11 01:03 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-11-26 03:31 . 2005-11-11 00:59 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-11-26 03:31 . 2005-11-11 00:50 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory
2009-11-26 03:31 . 2005-11-11 00:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2009-11-26 03:31 . 2005-11-11 00:44 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-11-26 03:31 . 2005-11-11 00:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Digital Interactive Systems Corporation
2009-11-26 03:31 . 2005-11-11 00:05 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}
2009-11-26 03:28 . 2009-11-26 03:28 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-26 03:14 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-26 03:14 . 2004-08-04 06:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-11-26 03:14 . 2001-08-17 22:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-26 01:02 . 2009-12-03 11:18 -------- d-sh--r- c:\windows\system32\dllcache
2009-11-07 06:09 . 2009-11-07 06:09 -------- d-----w- c:\program files\Common Files\Software Update Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 17:26 . 2009-10-09 22:49 -------- d-----w- c:\program files\Diablo II
2009-12-02 21:09 . 2008-12-23 23:45 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-02 21:04 . 2005-11-11 00:30 -------- d-----w- c:\program files\MSN Encarta Standard
2009-12-02 04:11 . 2005-11-11 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-02 01:59 . 2005-11-11 01:02 -------- d-----w- c:\program files\Symantec
2009-12-02 01:45 . 2009-12-02 01:45 -------- d-----w- c:\documents and settings\Heather Lynn\Application Data\Symantec
2009-12-01 00:07 . 2005-11-11 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-26 03:52 . 2009-11-26 03:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Digital Interactive Systems Corporation
2009-11-26 03:34 . 2009-11-26 03:34 1854 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EL448AA-ABA a1310n_YC_0Pavi_QCNH550_E61NAemMPC1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.13_T051115_WXP2_L409_M959_J200_7AMD_8Athlon 64_92.19_#060122_N10EC8139_Z14F12F20_G10025954.MRK
2009-11-25 18:38 . 2009-04-23 22:56 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-11-15 08:36 . 2009-09-26 19:08 -------- d-----w- c:\program files\Common Files\AOL
2009-11-09 22:11 . 2009-10-31 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-07 06:45 . 2009-10-31 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-05 08:29 . 2009-07-26 20:55 -------- d-----w- c:\program files\LimeWire
2009-11-01 18:12 . 2009-10-06 00:37 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-31 19:48 . 2009-10-31 19:48 -------- d-----w- c:\program files\NOS
2009-10-31 05:25 . 2009-08-22 04:36 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-31 02:47 . 2009-01-06 18:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-10-31 02:47 . 2008-12-07 01:46 -------- d-----w- c:\program files\Yahoo!
2009-10-31 02:47 . 2009-10-16 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion(2)
2009-10-31 02:47 . 2008-12-07 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-09 23:09 . 2009-10-09 22:49 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-10-06 04:57 . 2009-08-30 23:18 -------- d-----w- c:\program files\iTunes
2009-10-05 17:36 . 2008-12-08 20:16 -------- d-----w- c:\program files\MySpace
2009-10-04 14:45 . 2009-10-04 14:45 1961720 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-04 08:04 . 2009-10-04 08:04 10134 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-09-22 00:09 . 2009-09-22 00:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-09 04:43 . 2009-09-09 04:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-05 07:06 . 2009-09-05 07:06 488968 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup\setup.exe
2007-02-03 04:42 . 2008-12-05 00:49 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-12-02_04.33.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-07 03:24 . 2009-08-07 03:24 44768 c:\windows\system32\wups2.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 35552 c:\windows\system32\wups.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 53472 c:\windows\system32\wuauclt.exe
- 2005-11-10 23:59 . 2005-09-27 06:04 22752 c:\windows\system32\spupdsvc.exe
+ 2005-11-10 23:59 . 2005-02-25 03:35 22752 c:\windows\system32\spupdsvc.exe
+ 2005-11-11 00:05 . 2005-05-04 21:45 13536 c:\windows\system32\spmsg.dll
+ 2009-12-02 21:50 . 2009-08-07 03:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 15360 c:\windows\system32\msisip.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 78848 c:\windows\system32\msiexec.exe
+ 2004-08-10 12:00 . 2009-08-07 03:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-10 12:00 . 2005-05-04 21:45 15360 c:\windows\system32\dllcache\msisip.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 78848 c:\windows\system32\dllcache\msiexec.exe
+ 2004-08-10 12:00 . 2009-08-07 03:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 96480 c:\windows\system32\cdm.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 22240 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\update\spcustom.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 13536 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\spmsg.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 15360 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msisip.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 78848 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msiexec.exe
- 2009-10-15 22:47 . 2005-02-25 03:35 22240 c:\windows\SoftwareDistribution\Download\569d9f4ac4075c88e15e54f5d0847e2b\update\spcustom.dll
- 2009-10-15 22:47 . 2005-02-25 03:35 22752 c:\windows\SoftwareDistribution\Download\569d9f4ac4075c88e15e54f5d0847e2b\spupdsvc.exe
- 2009-10-15 22:47 . 2005-02-25 03:35 14048 c:\windows\SoftwareDistribution\Download\569d9f4ac4075c88e15e54f5d0847e2b\spmsg.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-10 12:00 . 2009-08-07 03:23 575704 c:\windows\system32\wuapi.dll
- 2004-08-10 12:00 . 2004-08-10 12:00 884736 c:\windows\system32\msimsg.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 884736 c:\windows\system32\msimsg.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 271360 c:\windows\system32\msihnd.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-10 12:00 . 2009-08-07 03:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-10 12:00 . 2009-08-07 03:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 884736 c:\windows\system32\dllcache\msimsg.dll
- 2004-08-10 12:00 . 2004-08-10 12:00 884736 c:\windows\system32\dllcache\msimsg.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 271360 c:\windows\system32\dllcache\msihnd.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 371936 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\update\updspapi.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 718048 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\update\update.exe
- 2009-10-15 22:47 . 2005-05-04 21:45 209632 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\spuninst.exe
- 2009-10-15 22:47 . 2005-05-04 21:45 884736 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msimsg.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 271360 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msihnd.dll
- 2009-10-15 22:47 . 2005-02-25 03:35 371936 c:\windows\SoftwareDistribution\Download\569d9f4ac4075c88e15e54f5d0847e2b\update\updspapi.dll
- 2009-10-15 22:47 . 2005-02-25 03:35 718048 c:\windows\SoftwareDistribution\Download\569d9f4ac4075c88e15e54f5d0847e2b\update\update.exe
- 2009-10-15 22:47 . 2005-02-25 03:35 209632 c:\windows\SoftwareDistribution\Download\569d9f4ac4075c88e15e54f5d0847e2b\spuninst.exe
+ 2004-08-10 12:00 . 2009-08-07 03:23 1929952 c:\windows\system32\wuaueng.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 2890240 c:\windows\system32\msi.dll
+ 2004-08-10 12:00 . 2009-08-07 03:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2004-08-10 12:00 . 2005-05-04 21:45 2890240 c:\windows\system32\dllcache\msi.dll
- 2009-10-15 22:47 . 2005-05-04 21:45 2890240 c:\windows\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-04 48752]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

c:\documents and settings\Rich&Heather\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-22 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-10 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-08 20:16]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-08 20:16]

2009-11-26 c:\windows\Tasks\HPCeeSchedule.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-09 03:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\msi.dll
.
Completion time: 2009-12-03 10:48
ComboFix-quarantined-files.txt 2009-12-03 18:47
ComboFix2.txt 2009-12-02 04:35

Pre-Run: 156,426,141,696 bytes free
Post-Run: 156,387,758,080 bytes free

- - End Of File - - 55CBF354045370870FC4E41B44620F9D

#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:51 PM

Posted 04 December 2009 - 04:41 PM

Hi Rkinsey1313,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\J4J.exe
c:\windows\msa.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please also tell me how the PC is going after running Combofix again. :(


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:51 PM

Posted 07 December 2009 - 07:45 AM

Are you still with me?

Be aware of the posibility of closing your topic if you don't reply in the next 2 days.


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:51 PM

Posted 09 December 2009 - 07:27 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users