Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cpvfeed.com/winantivirus/winantivirupro


  • Please log in to reply
15 replies to this topic

#1 TLARbb

TLARbb

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA
  • Local time:12:07 AM

Posted 02 October 2006 - 05:53 AM

Hi! I've spent the last couple days scanning with most anything that would run. Some of the programs would not fix anything, just identify issues. But, I am using Trendmicro PC Cillin Internet Security and have run Spybot S&D and Adaware SE on this system.

There appears to be two processes that are related to the issue - PcCtlCom and PcScrSrv. I don't get the popups if I disable the processes before going to IE. But I don't know if stuff is still going on that I am now unaware of. Based on the HiJackThis log, they are part of the Trendmicro package. :thumbsup:

I have run HiJackThis and the logfile appears below:

Logfile of HijackThis v1.99.1
Scan saved at 5:37:39 AM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\dbatp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=67.47.136.9:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;67.47.136.9;systemcontrolcenter
O2 - BHO: (no name) - {400CEDDA-0B77-4660-BC32-54E0CE89E822} - C:\WINDOWS\system32\aclmon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\AsstCommon\motmon.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_compone...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158290591671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: aclmon - C:\WINDOWS\SYSTEM32\aclmon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: dbatp - Warranty Corporation of America - C:\WINDOWS\dbatp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe


Hope you can give me some help with this.

EJ
Athens, LA

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 October 2006 - 04:35 AM

Hi TLARbb and Welcome to the Bleeping Computer!


Please download Combofix to your desktop.
http://download.bleepingcomputer.com/sUBs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.

#3 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA

Posted 04 October 2006 - 07:14 PM

Thank you for your help...

As instructed I have run Combofix and the logfile appears below.

Below that is a new HJT logfile.

My Trendmicro is still putting up notices regarding ~url.cpvfeed.com.

Let me know what you want me to do next....

Combofix log:
Ed - 06-10-04 18:53:43.85 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Ed\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))


2006-10-02 22:14 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-10-02 22:02 0 --a------ C:\CONFIG.SYS
2006-10-02 22:02 0 --a------ C:\AUTOEXEC.BAT
2006-10-02 21:50 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-10-02 21:50 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-10-02 21:50 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-10-02 21:50 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-10-02 21:50 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-10-02 21:50 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-10-02 21:50 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-10-02 21:50 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-10-02 21:50 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-10-02 21:50 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-10-02 21:50 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-10-02 21:50 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-10-02 21:50 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-10-02 21:49 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-02 21:49 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-02 21:49 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-10-02 21:49 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-02 21:49 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-02 21:49 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-02 21:49 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-10-02 21:49 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-02 21:49 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-23 15:36 23,442 --a------ C:\WINDOWS\system32\jkklk.exe
2006-09-23 15:36 16,934 --a------ C:\WINDOWS\system32\aclmon.dll
2006-09-15 05:38 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-14 21:25 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-13 07:29 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-09-13 07:29 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-03 23:33 -------- d-------- C:\Program Files\Messenger
2006-10-03 23:32 -------- d-------- C:\Program Files\Windows Media Player
2006-10-03 23:32 -------- d-------- C:\Program Files\Internet Explorer
2006-10-03 23:25 -------- d-------- C:\Program Files\Outlook Express
2006-10-03 23:25 -------- d-------- C:\Program Files\Common Files\System
2006-10-02 22:44 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-02 22:14 -------- d---s---- C:\Documents and Settings\Ed\Application Data\Microsoft
2006-10-02 20:56 -------- d-------- C:\Program Files\HijackThis
2006-09-30 11:02 -------- d-------- C:\Program Files\Windows Defender
2006-09-29 22:01 -------- d-------- C:\Program Files\QuickTime
2006-09-29 22:00 -------- d-------- C:\Program Files\Netscape Internet Service
2006-09-29 21:58 -------- d-------- C:\Program Files\iTunes
2006-09-29 21:55 -------- d-------- C:\Program Files\Common Files\ISPCOMP
2006-09-29 21:55 -------- d-------- C:\Program Files\Apoint2K
2006-09-29 20:26 -------- d-------- C:\Program Files\Common Files
2006-09-28 09:14 -------- d-------- C:\Program Files\XoftSpy
2006-09-27 21:40 -------- d-------- C:\Program Files\Lavasoft
2006-09-27 21:40 -------- d-------- C:\Documents and Settings\Ed\Application Data\Lavasoft
2006-09-25 19:33 -------- d-------- C:\Program Files\Trend Micro
2006-09-25 17:53 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-09-15 22:50 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-06 20:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-06 20:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-09-06 20:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-08-24 22:01 68224 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2006-08-24 22:01 101376 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2006-08-21 16:52 -------- d-------- C:\Documents and Settings\Ed\Application Data\AdobeUM
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"hpWirelessAssistant"=hex(2):22,25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,\
48,50,51,5c,48,50,20,57,69,72,65,6c,65,73,73,20,41,73,73,69,73,74,61,6e,74,\
5c,48,50,20,57,69,72,65,6c,65,73,73,20,41,73,73,69,73,74,61,6e,74,2e,65,78,\
65,22,00
"MotiveMonitor"="\"C:\\Program Files\\Motive\\AsstCommon\\motmon.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Netscape"="C:\\Program Files\\Common Files\\ISPCOMP\\InstallService.exe"
"NetscapeClient"=""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,fe,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aclmon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1145419496.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Wed 10/04/2006 18:54:59.07
ComboFix.txt


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:03 PM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\dbatp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ed\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=67.47.136.9:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;67.47.136.9;systemcontrolcenter
O2 - BHO: (no name) - {400CEDDA-0B77-4660-BC32-54E0CE89E822} - C:\WINDOWS\system32\aclmon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\AsstCommon\motmon.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_compone...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159928215203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158290591671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: aclmon - C:\WINDOWS\SYSTEM32\aclmon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: dbatp - Warranty Corporation of America - C:\WINDOWS\dbatp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 October 2006 - 08:04 PM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, Double-click VundoFix.exe to run it again.
  • Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entries below into the open boxes
    • C:\WINDOWS\system32\jkklk.exe
    • C:\WINDOWS\system32\aclmon.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.



After posting those 2 logs,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA
  • Local time:12:07 AM

Posted 04 October 2006 - 09:35 PM

Here we go. First the VundoFix.txt log:

VundoFix V6.2.0

Checking Java version...

Sun Java not detected
Scan started at 8:54:41 PM 10/4/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

Attempting to delete c:\windows\system32\jkklk.exe
c:\windows\system32\jkklk.exe Has been deleted!

Attempting to delete c:\windows\system32\aclmon.dll
c:\windows\system32\aclmon.dll Has been deleted!

Performing Repairs to the registry.
Done!


Now the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:23:08 PM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\dbatp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Documents and Settings\Ed\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=67.47.136.9:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;67.47.136.9;systemcontrolcenter
O2 - BHO: (no name) - {400CEDDA-0B77-4660-BC32-54E0CE89E822} - C:\WINDOWS\system32\aclmon.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\AsstCommon\motmon.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_compone...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159928215203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158290591671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: dbatp - Warranty Corporation of America - C:\WINDOWS\dbatp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

Off to get and run the F-secure online scanner. :thumbsup:

EJ
Athens, LA

#6 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA

Posted 04 October 2006 - 09:43 PM

The F-secure online scanner did not want to run properly. I suspect it is because I do not have Java installed at this time. Let me know if you want me to get the Java plugin and try again.

Should I try a different program?

EJ
Athens, LA

Edited by TLARbb, 04 October 2006 - 10:04 PM.


#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 October 2006 - 02:58 AM

Have you uninstalled all your Sun Java from Add\Remove?

If so,go to http://www.java.com/en/ and install the latest version from the website.


Then proceed with the Online Scan,be sure to use Internet Explorer.

#8 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA
  • Local time:12:07 AM

Posted 05 October 2006 - 06:21 AM

I had uninstalled Java about a week ago. I reinstalled the plugin last night, but I still cannot run the F-secure scanner; the interface locks in an endless loop. I am not getting any of the popups or TrendMicro warnings now. I did run the TrendMicro scanner and it found three cookies, which I deleted. It is not unusual for it to detect some of those.

I will be off to work in a few minutes and will not be back in until tonight about 6:00 PM Central.

Thanks for your help. We are definitely making progress!! :thumbsup:

EJ

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 October 2006 - 03:37 PM

Lets double check some things with Internet Explorer.

Check each option in this link to ensure all the IE settings are as they should be.
http://www.microsoft.com/windows/ie/using/...rity/setup.mspx


Try this,Open IE and Click Tools-> Internet Options-> Programs and then click "Reset Web Settings"

Now go back and Click the Advanced Tab and then Click "Restore Defaults"

Lets also check some of the IE Settings

1. From within Internet Explorer click the Tools menu and then click on Internet Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.A.) Change the Download signed ActiveX controls to Prompt
B.) Change the Download unsigned ActiveX controls to Disable
C.) Change the Initialize and script ActiveX controls not marked as safe to Disable
D.) Change the File Download to Prompt
E.) Change the Installation of desktop items to Prompt
F.) Change the Launching programs and files in an IFRAME to Prompt
G.) Change the Navigate sub-frames across different domains to Prompt
5. Click 'OK' and save the settings if prompted.
6. Click Apply and then 'OK' to exit the Internet Properties page.



No matter what happens with the F-Secure scan,I need to see a fresh ComboFix log please.

Scan with ComboFix and Save the resulting log,post that in the next reply.

#10 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA
  • Local time:12:07 AM

Posted 05 October 2006 - 07:48 PM

I still could not get the F-secure scan to load properly and work.

Here is the new Combofix log:



Ed - 06-10-05 19:34:44.39 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Ed\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))


2006-10-02 22:14 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-10-02 22:02 0 --a------ C:\CONFIG.SYS
2006-10-02 22:02 0 --a------ C:\AUTOEXEC.BAT
2006-10-02 21:50 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-10-02 21:50 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-10-02 21:50 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-10-02 21:50 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-10-02 21:50 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-10-02 21:50 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-10-02 21:50 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-10-02 21:50 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-10-02 21:50 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-10-02 21:50 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-10-02 21:50 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-10-02 21:50 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-10-02 21:50 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-10-02 21:50 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-10-02 21:49 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-02 21:49 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-02 21:49 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-10-02 21:49 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-02 21:49 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-02 21:49 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-02 21:49 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-10-02 21:49 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-02 21:49 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-15 05:38 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-14 21:25 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-13 07:29 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-09-13 07:29 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-04 21:55 -------- d-------- C:\Program Files\Java
2006-10-04 21:52 -------- d-------- C:\Program Files\Common Files\Java
2006-10-04 21:52 -------- d-------- C:\Program Files\Common Files
2006-10-04 19:07 -------- d-------- C:\Program Files\HijackThis
2006-10-03 23:33 -------- d-------- C:\Program Files\Messenger
2006-10-03 23:32 -------- d-------- C:\Program Files\Windows Media Player
2006-10-03 23:32 -------- d-------- C:\Program Files\Internet Explorer
2006-10-03 23:25 -------- d-------- C:\Program Files\Outlook Express
2006-10-03 23:25 -------- d-------- C:\Program Files\Common Files\System
2006-10-02 22:44 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-02 22:14 -------- d---s---- C:\Documents and Settings\Ed\Application Data\Microsoft
2006-09-30 11:02 -------- d-------- C:\Program Files\Windows Defender
2006-09-29 22:01 -------- d-------- C:\Program Files\QuickTime
2006-09-29 22:00 -------- d-------- C:\Program Files\Netscape Internet Service
2006-09-29 21:58 -------- d-------- C:\Program Files\iTunes
2006-09-29 21:55 -------- d-------- C:\Program Files\Common Files\ISPCOMP
2006-09-29 21:55 -------- d-------- C:\Program Files\Apoint2K
2006-09-28 09:14 -------- d-------- C:\Program Files\XoftSpy
2006-09-27 21:40 -------- d-------- C:\Program Files\Lavasoft
2006-09-27 21:40 -------- d-------- C:\Documents and Settings\Ed\Application Data\Lavasoft
2006-09-25 19:33 -------- d-------- C:\Program Files\Trend Micro
2006-09-25 17:53 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-09-15 22:50 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-06 20:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-06 20:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-09-06 20:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-08-24 22:01 68224 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2006-08-24 22:01 101376 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2006-08-21 16:52 -------- d-------- C:\Documents and Settings\Ed\Application Data\AdobeUM
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"hpWirelessAssistant"=hex(2):22,25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,\
48,50,51,5c,48,50,20,57,69,72,65,6c,65,73,73,20,41,73,73,69,73,74,61,6e,74,\
5c,48,50,20,57,69,72,65,6c,65,73,73,20,41,73,73,69,73,74,61,6e,74,2e,65,78,\
65,22,00
"MotiveMonitor"="\"C:\\Program Files\\Motive\\AsstCommon\\motmon.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Netscape"="C:\\Program Files\\Common Files\\ISPCOMP\\InstallService.exe"
"NetscapeClient"=""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,fe,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1145419496.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Thu 10/05/2006 19:35:14.29
ComboFix.txt
ComboFix2.txt

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 October 2006 - 08:04 PM

Lets try the Bit Defender scan.


Please run the Bit Defender Online Scan
http://www.bitdefender.com/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here

#12 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA

Posted 09 October 2006 - 08:18 PM

Here is the meat of the scan report. I don't know why it saved the HTML version of the scan report as text, but it made the report very long due to all of the formatting stuff in the report. I have pulled the information out of the report that is applicable to what was found. Let me know if you want me to paste all that other junk too. And, I'll run another scan tonight. I'll try to save anything it finds in just plain text this time if I can figure out where I went wrong this morning.

<td colspan=2> &nbsp;
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scanned File</b></font></p>
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
<p align="left"><b><font size="2" face="Arial">&nbsp;Status</font></b></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP11\A0001233.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: MemScan:Trojan.Conhook.C</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP11\A0001233.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP11\A0001233.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\aclmon.dll.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: MemScan:Trojan.Conhook.C</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\aclmon.dll.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\aclmon.dll.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr>
</table>
</td>

<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

Thank you for your help so far.

EJ
Athens, LA

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2006 - 03:09 AM

So far so good! :thumbsup:


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#14 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA
  • Local time:12:07 AM

Posted 10 October 2006 - 05:22 AM

I do not have enough time before I have to leave for work to do this scan this morning, but I'll run it this evening after work and post the results. The computer has been behaving itself pretty well and I have not seen any more signs of WinAntiVirus Pro popups.

I ran the BitDefender scan again last night and it did not find anything this time.

EJ

Edited by TLARbb, 10 October 2006 - 05:24 AM.


#15 TLARbb

TLARbb
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, LA, USA

Posted 15 October 2006 - 07:31 AM

I finally had time to run the Kaspersky scanner. Here is the report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 15, 2006 7:21:25 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/10/2006
Kaspersky Anti-Virus database records: 218581
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55939
Number of viruses found: 1
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:07:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-09252006-180201.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0106\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\OE\Users\{445BA929-0754-421E-B2F9-D5F440A69141}\log\TMASUpdate.20061015.log Object is locked skipped
C:\Documents and Settings\Ed\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Deleted Items.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Drafts.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Linda.dbx/[From PayPal Email ID PP321 <service@paypal.com>][Date Wed, 14 Dec 2005 09:43:13 +0100]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.gq skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Linda.dbx/[From PayPal Email ID PP321 <service@paypal.com>][Date Wed, 14 Dec 2005 09:43:13 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gq skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Linda.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Sent Items.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Spam Mail.dbx Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9022D348-7F1C-4755-9897-9E0656846F1A} Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ed\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Digital Lifeline\log\mpbtn.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP30\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E5A7BA78-4476-43D6-ACD6-6F6DE7B30063}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_618.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7b4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


The Trendmicro Antivirus program does not detect the virus noted in this scan. Please let me know how to deal with this particular virus. The computer is not acting strangely now, so we are making progress.

Regards,
EJ




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users