Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

M I Clean?


  • Please log in to reply
10 replies to this topic

#1 Happy01

Happy01

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 03 February 2006 - 04:12 PM

I have been having some slow to respond desktop icons and IE sluggishness. Please take a look and see if there is anything to be alarmed about. The only recent changes has been an upgrade of AVAST (virus software) Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:32:55 PM, on 2/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

:thumbsup:

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 05 February 2006 - 08:29 PM

Log looks fine

DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons – I do not recommend
using the Duplicates files button
as many dupes are there on purpose.

Not all files will delete – that is normal.

In the unnecessary button I check the top 4 entries
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Happy01

Happy01
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 February 2006 - 10:51 AM

Got to be something going on. IE is taking upwards of 5 minutes to start. Then cannot open mail. Trying to start task manager results in about 4-5 minutes before it shows and then there are eight or ten task managers open. (I only hit once) Did find a program appear once called "WIN32:CTX" which I had quarantined and removed?

I will try the Easycleaner.

thanks

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 February 2006 - 01:16 PM

With MS Anti - Ewido and SpySweeper - if you are updating and running you should be clean
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Happy01

Happy01
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 February 2006 - 03:48 PM

A couple of files appear in "temp" which will not remove unless through
safe mode; which they then will remove. I believe they are part of avast virus scan, a file named avast also appears, but not sure. When removed they return later: ~DFC27A.tmp and ~DFE5A2.tmp

Something is dramatically slowing system. The task manager barely responds and it took many attempts to open my outlook express.

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 February 2006 - 04:06 PM

That is normal WRT the temp files

Well lets see what this says

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Happy01

Happy01
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 February 2006 - 04:06 PM

Also, in task manager, notice that there are about 48 processes running.
In Easy cleaner, there is a process in the start-up called "QBDC autorun" D:autorun.exe restart IE Sequence first. (D drive is DVD drive) which Easyclean gives a red dot (file doesn't exist) Not sure if this is an issue?

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 February 2006 - 04:13 PM

You can fix that entry is msconfig - startup - un check it
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 Happy01

Happy01
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 February 2006 - 08:28 PM

Okay, here is the spysweeper session log. In the process, spysweeper identified either two Trojans or the same Trojan twice. Program suggested placing trojan(s) in chest which I did.

********
7:42 PM: | Start of Session, Monday, February 06, 2006 |
7:42 PM: Spy Sweeper started
7:42 PM: Sweep initiated using definitions version 611
7:42 PM: Starting Memory Sweep
7:46 PM: Memory Sweep Complete, Elapsed Time: 00:03:39
7:46 PM: Starting Registry Sweep
7:46 PM: Registry Sweep Complete, Elapsed Time:00:00:13
7:46 PM: Starting Cookie Sweep
7:46 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:46 PM: Starting File Sweep
7:47 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb820291$\shmgrate.exe". Access is denied
7:47 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\inetmib1.dll". Access is denied
7:47 PM: Warning: Failed to open file "c:\windows\$ntuninstallq329390$\shmedia.dll". Access is denied
7:47 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824105$\netbt.sys". Access is denied
7:48 PM: Warning: Failed to open file "c:\system volume information\_restore{68dccd3e-2073-4915-a5dc-a445a55876ad}\rp455\a0020845.exe". Access is denied
7:48 PM: Warning: Failed to open file "c:\windows\$ntuninstallq329834$\raspptp.sys". Access is denied
7:48 PM: Warning: Failed to open file "c:\windows\$ntuninstallq329048$\zipfldr.dll". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\usbuhci.sys". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\hccoin.dll". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netoc.inf". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\tunmp.sys". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\usbhub.sys". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb821253$\dwwin.exe". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apps_sp.chm". Access is denied
7:50 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netip6.inf". Access is denied
7:51 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb825119$\itircl.dll". Access is denied
7:51 PM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir41_qcx.dll". Access is denied
7:51 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\hhsetup.dll". Access is denied
7:51 PM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir41_qc.dll". Access is denied
7:51 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netsh.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb823559$\msconv97.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\iphlpapi.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810577$\mrxsmb.sys". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\sysmain.sdb". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\ipv6.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\ws2_32.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir50_qc.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\6to4svc.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\usbport.sys". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb823559$\html32.cnv". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb821557$\shell32.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb823980$\rpcss.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netoc.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb823980$\rpcrt4.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb823980$\ole32.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq811493$\ntoskrnl.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\wship6.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq811493$\ntkrnlpa.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\pchshell.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\migwiz.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\magnify.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\accwiz.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\osk.exe". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\itss.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\itircl.dll". Access is denied
7:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\hhctrl.ocx". Access is denied
7:53 PM: Warning: Failed to open file "c:\windows\$ntuninstallq329441$\srrstr.dll". Access is denied
7:54 PM: Warning: Failed to open file "c:\windows\$ntuninstallq329115$\crypt32.dll". Access is denied
7:54 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\ipv6mon.dll". Access is denied
7:54 PM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apps.chm". Access is denied
7:54 PM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir50_qcx.dll". Access is denied
7:54 PM: Warning: Failed to open file "c:\windows\$ntuninstallq817606$\srv.sys". Access is denied
7:55 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810833$\locator.exe". Access is denied
7:55 PM: Warning: Failed to open file "c:\windows\$ntuninstallq819696$\quartz.dll". Access is denied
7:55 PM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\user32.dll". Access is denied
7:55 PM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\winsrv.dll". Access is denied
7:55 PM: Warning: Failed to open file "c:\windows\$ntuninstallq814033$\newdev.dll". Access is denied
7:55 PM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apphelp.sdb". Access is denied
7:56 PM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\sysmain.sdb". Access is denied
7:56 PM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\win32k.sys". Access is denied
7:56 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb821253$\faultrep.dll". Access is denied
7:57 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\hh.exe". Access is denied
7:59 PM: Warning: Failed to open file "c:\windows\$ntuninstallq817287$\cryptsvc.dll". Access is denied
7:59 PM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\narrator.exe". Access is denied
8:00 PM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\acgenral.dll". Access is denied
8:00 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb820291$\explorer.exe". Access is denied
8:00 PM: Warning: Failed to open file "c:\windows\$ntuninstallq815021$\ntdll.dll". Access is denied
8:01 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb823182$\cryptui.dll". Access is denied
8:01 PM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apph_sp.sdb". Access is denied
8:01 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb820291$\appwiz.cpl". Access is denied
8:08 PM: Warning: The file sweep got stuck and had to be terminated and restarted in "safe" (slow) mode..
8:08 PM: File Sweep Complete, Elapsed Time: 00:21:45
8:08 PM: Full Sweep has completed. Elapsed time 00:25:45
8:08 PM: Traces Found: 0
********
6:09 PM: | Start of Session, Monday, February 06, 2006 |
6:09 PM: Spy Sweeper started
6:16 PM: Your spyware definitions have been updated.


and HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:23 PM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#10 Happy01

Happy01
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 07 February 2006 - 12:07 PM

I ran spysweeper in SAFE MODE and got these results:

********
11:28 AM: | Start of Session, Tuesday, February 07, 2006 |
11:28 AM: Spy Sweeper started
11:28 AM: Sweep initiated using definitions version 611
11:28 AM: Starting Memory Sweep
11:29 AM: Memory Sweep Complete, Elapsed Time: 00:01:01
11:29 AM: Starting Registry Sweep
11:29 AM: Registry Sweep Complete, Elapsed Time:00:00:14
11:29 AM: Starting Cookie Sweep
11:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:29 AM: Starting File Sweep
11:30 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb820291$\shmgrate.exe". Access is denied
11:30 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\inetmib1.dll". Access is denied
11:30 AM: Warning: Failed to open file "c:\windows\$ntuninstallq329390$\shmedia.dll". Access is denied
11:30 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb824105$\netbt.sys". Access is denied
11:30 AM: Warning: Failed to open file "c:\windows\$ntuninstallq329834$\raspptp.sys". Access is denied
11:30 AM: Warning: Failed to open file "c:\windows\$ntuninstallq329048$\zipfldr.dll". Access is denied
11:31 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\usbuhci.sys". Access is denied
11:31 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\hccoin.dll". Access is denied
11:31 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netoc.inf". Access is denied
11:31 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\tunmp.sys". Access is denied
11:31 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\usbhub.sys". Access is denied
11:31 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb821253$\dwwin.exe". Access is denied
11:31 AM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apps_sp.chm". Access is denied
11:32 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netip6.inf". Access is denied
11:32 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb825119$\itircl.dll". Access is denied
11:32 AM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir41_qcx.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\hhsetup.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir41_qc.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netsh.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb823559$\msconv97.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\iphlpapi.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810577$\mrxsmb.sys". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\sysmain.sdb". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\ipv6.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\ws2_32.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir50_qc.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\6to4svc.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\usbport.sys". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb823559$\html32.cnv". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb821557$\shell32.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb823980$\rpcss.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\netoc.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb823980$\rpcrt4.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb823980$\ole32.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq811493$\ntoskrnl.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\wship6.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq811493$\ntkrnlpa.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\pchshell.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\migwiz.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\magnify.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\accwiz.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\osk.exe". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\itss.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\itircl.dll". Access is denied
11:33 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\hhctrl.ocx". Access is denied
11:34 AM: Warning: Failed to open file "c:\windows\$ntuninstallq329441$\srrstr.dll". Access is denied
11:34 AM: Warning: Failed to open file "c:\windows\$ntuninstallq329115$\crypt32.dll". Access is denied
11:35 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\ipv6mon.dll". Access is denied
11:35 AM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apps.chm". Access is denied
11:35 AM: Warning: Failed to open file "c:\windows\$ntuninstallq327979$\ir50_qcx.dll". Access is denied
11:35 AM: Warning: Failed to open file "c:\windows\$ntuninstallq817606$\srv.sys". Access is denied
11:35 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810833$\locator.exe". Access is denied
11:35 AM: Warning: Failed to open file "c:\windows\$ntuninstallq819696$\quartz.dll". Access is denied
11:35 AM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\user32.dll". Access is denied
11:36 AM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\winsrv.dll". Access is denied
11:36 AM: Warning: Failed to open file "c:\windows\$ntuninstallq814033$\newdev.dll". Access is denied
11:36 AM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apphelp.sdb". Access is denied
11:36 AM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\sysmain.sdb". Access is denied
11:36 AM: Warning: Failed to open file "c:\windows\$ntuninstallq328310$\win32k.sys". Access is denied
11:36 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb821253$\faultrep.dll". Access is denied
11:37 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\hh.exe". Access is denied
11:38 AM: Warning: Failed to open file "c:\windows\$ntuninstallq817287$\cryptsvc.dll". Access is denied
11:38 AM: Warning: Failed to open file "c:\windows\$ntuninstallq810565$\narrator.exe". Access is denied
11:39 AM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\acgenral.dll". Access is denied
11:39 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb820291$\explorer.exe". Access is denied
11:39 AM: Warning: Failed to open file "c:\windows\$ntuninstallq815021$\ntdll.dll". Access is denied
11:40 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb823182$\cryptui.dll". Access is denied
11:40 AM: Warning: Failed to open file "c:\windows\$ntuninstallq814995$\apph_sp.sdb". Access is denied
11:40 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb820291$\appwiz.cpl". Access is denied
11:41 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb817778$\tcpip6.sys". Access is denied
11:46 AM: Found Trojan Horse: trojan-downloader-cat
11:46 AM: a0020844.exe (ID = 80292)
11:46 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb822603$\usbehci.sys". Access is denied
11:46 AM: File Sweep Complete, Elapsed Time: 00:16:40
11:46 AM: Full Sweep has completed. Elapsed time 00:18:02
11:46 AM: Traces Found: 1
11:50 AM: Removal process initiated
11:50 AM: Quarantining All Traces: trojan-downloader-cat
11:50 AM: Removal process completed. Elapsed time 00:00:01



Not sure of the location but I did manage to record this line:

C:\system volume information\_restore{68dccd3e-2073-4195-a5dc-a445a55876ad}rp455\a0020844.exe

Is this trojan being stored in the restore area?
any ideas?

thanks

#11 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 07 February 2006 - 04:40 PM

Log is clean

Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users