Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Originally Scanned Agobot-ku Worm + System32


  • This topic is locked This topic is locked
22 replies to this topic

#1 dawnzig

dawnzig

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 27 April 2007 - 10:39 PM

Hi there.

I'm working w/my dad's HP Pavillion DV 6000 laptop (AMD Turion 64MK-36, 2.01Ghz, 480 MB RAM, Broadcom 802.11b/g WLAN, NVIDIA nforce Networkg Controller) running XP Media Ctr Version 2002 SP2, recently auto-updated to IE7--no file-sharing or messenger/chat programs, very basically configured cuz he's a real beginner--and began 'acting strangely'--he said.

For all I know, tho, some issues may be IE7 quirks, since I only know IE6 and dad barely can get around on any computer! He said the clock didn't keep time & date kept getting off, plus his MSN home page and others weren't accepting passwords, & just was 'acting strange.'

Some brilliant person at his DSL co. talked him thru uninstalling the ZoneAlarm-Free he had on it so he didn't have a good firewall for a few weeks... (he only tools around on the Internet & has little idea what's ok to click on)

BUT, Kapersky's online scanner said it had AGOBOT-KU worm and possibly system32 virus(?) and something to do w/ctfmon (which I just noticed someone mentioning on here today...), altho I don't get hits from any of the other scanners or s/w.

As my first HJT post here, I followed pre-posting instructions nearly to a 'T' -- performing every single thing requested/required + more (except Avert Stinger b/c the prog was outdated [from 2006] and NO updates whatsoever within or on McAfee's site were evident [except an 11MB DAT file for their scanning prog...]). Those scans + an installed AVG antivirus came out CLEAN. All w/ System Restore OFF. (Plus I reinstalled ZoneAlarm firewall).

One odd little thing it does now is requiring Ctrl, Alt, Del be pressed on startup, then another "log-in"-type pop-up comes on, with my dad's name pre-typed in 'username' and password field empty. I just click 'Enter' and Windows comes up fine.

But neither of these boxes were required a couple weeks ago, prior to this "weirdness." And when I tried to fix this is User Profiles I was told something about how I needed to shutdown 'Client Service for Netware,' (which I did, but it doesn't make a difference) which is interesting because getting these weird pop-ups at start-up was prior to my getting rid of malware/junkware/temp files, etc, and we WERE getting a "Select Netware Logon" box when this all started--which was REALLY weird!

Also, my boyfriend says it's kinda strange that port 33233 is open, tho he can't figure how that might be related to anything.... (Kurt Seigfried says: "Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3; Common service(s): client; Service description(s): Outgoing client connections from systems; Common server(s): RPC based services, Windows Messaging Service; Common client(s): All client software (SSH, Web clients, etc.); Common problem(s): Insecure client software; Encrypted options: Not applicable; Secure options: Not applicable; Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state); Attack detection: As a general rule data coming in to client ports that is not part of an established connection is likely an attack. Exceptions exist of course, such as FTP, various instant messenger protocols, file sharing protocols, IRC's DCC, and so on.)

And another minor weird/strange thing that I tried googling but only found others having the problem also thinking it might be virii/spyware-related, is that the cursor auto-clicks anytime it's positioned on a hyperlink--VERY problematic for someone like my dad who doesn't even realize what might possibly BE a link on sites/pages... at least I'm aware of it. I couldn't find ANY way, ANYWHERE, to remedy this in the Synaptics Touchpad itself, the control panel, etc., nor are there any clues in any of the scans/logs....

Lastly, altho I'm somewhat computer-s/w coherent, I've never gone as far as editing registry entries, FWIW (outside CC Cleaner & HJT auto-stuff), but am sure I can do so w/guidance if need be.

OK, sorry for all this blather, but I felt the history was necessary. Thanks ever so much for your time! :thumbsup:

Kindly,
Dawn(zig)

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:47:13 PM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\HPISPz\delself.exe
C:\dads hijack this 4-20\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hpshopping.com/cgi-bin/hpdirect...&aoid=26020
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joe's Worldwide Wed
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Virtual Assistant.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177539914269
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 03 May 2007 - 02:59 PM

New info as of May 2:

Super AntiSpyware found "Trojan.WinCommDownloader C:\PROGRAMS\~WINLOCK\WINLOCK.EXE" -- This was removed/quarantined or whatever that prog does w/them

Panda found:
Potentially unwanted tool:Application/Processor; Not disinfected; C:\Documents and Settings\Joseph Scire\Desktop\SmitRem Scanner\smitRem\Process.exe
Potentially unwanted tool:Application/Processor; Not disinfected; C:\Documents and Settings\Joseph Scire\Desktop\smitRem.exe[smitRem/Process.exe]
Spyware:Spyware/PeoplePC; Not disinfected; C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL

But...Smit Rem is a LEGIT program!! Also, I can't find any way to uninstall the PeoplePC that came on his computer -- it's not actually installed yet, so how do I get rid of the DLL?

New HJT Log 5-2:
Logfile of HijackThis v1.99.1
Scan saved at 4:47:49 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\dads hijack this 4-20\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hpshopping.com/cgi-bin/hpdirect...&aoid=26020
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joe's Worldwide Wed
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Virtual Assistant.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177539914269
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

020-023 processes were all legit... I checked

Thanks!

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:38 AM

Posted 03 May 2007 - 05:58 PM

Hello dawn,

I am SifuMike and I will be helping you. :thumbsup:


I am not seeing much in your Hijackthis log, so lets dig deeper.

You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download ATF (Atribune Temp File) Cleanerİ by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on AVG antispyware in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update".
If you are having problems with the updater, manually update with the AVG Antispyware Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking    
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.    
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.    
 In the right pane, uncheck Enable Script Blocking (recommended).    
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
 


When done, submit the ComboFix log, the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.

Edited by SifuMike, 03 May 2007 - 06:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 03 May 2007 - 06:07 PM

Hi SifuMike, and thanks kindly for the help!

I will re-run Bit Defender again since I hadn't run it again after finding the Wincomm.exe downloader.

Also, should I uninstall AVG as a whole then install the 30-day trial software? Or will the trialware go on top of the current installation (it's the freeware antivirus, but since I just installed it last week, it has a 14-day free trial of some extended features)....

And I'll make sure to load the ATF, too.

FYI, I also still have Restore turned off.

Thanks,
Dawn

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:38 AM

Posted 03 May 2007 - 06:12 PM

Hi Dawn,

Also, should I uninstall AVG as a whole then install the 30-day trial software? Or will the trialware go on top of the current installation (it's the freeware antivirus, but since I just installed it last week, it has a 14-day free trial of some extended features)....


AVG antispyware (free) is not the same as AVG antivirus you have installed. They will not interfear with each other.

AVG antivirus has a free version and a paid version. You do not have to buy AVG antivirus, just use the free version. If you want the free version (of AVG antivirus) and have the paid version installed, then uninstall the paid for version before installing the free version.

These are all free. See here:

Avast or
AntiVir or
AVG antivirus


Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

FYI, I also still have Restore turned off.


Turn it back on. Better to have a Restore point set, than have none.

Edited by SifuMike, 03 May 2007 - 06:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 03 May 2007 - 08:55 PM

Hey again, sorry it's taking so long. The laptop lost net connectivity right after the BitDefender scan so I'm gonna call the fios folks and see if they have any insite (tho it's the only comp that won't connect now....)

Unfortunately, AVG is 10+mgs so won't go onto a cd....
I'll letcha know what's going on as I progress.

BD Scan was clean:
BitDefender Online Scanner

Scan report generated at: Thu, May 03, 2007 - 21:16:14


Scan path: C:\;D:\;E:\;


Statistics

Time
01:44:39

Files
634125

Folders
8067

Boot Sectors
4

Archives
11373

Packed Files
65157




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0


Engines Info

Virus Definitions
504018

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1


Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

No virus found.

#7 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 03 May 2007 - 09:34 PM

back online now...scanning w/avg :thumbsup:

#8 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 03 May 2007 - 11:11 PM

Got rid of almost 18Mb of temp files!

Then, no AVG report because it scanned clean; doesn't give an option for a report in that case.

Now on the last step. :thumbsup:

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:38 AM

Posted 03 May 2007 - 11:34 PM

Hi Dawn,

Then, no AVG report because it scanned clean; doesn't give an option for a report in that case

.

AVG antispyware always makes a report. A copy the report will be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\.
Please post that report (unless it is too big) even if it came out clean.

Edited by SifuMike, 03 May 2007 - 11:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 04 May 2007 - 12:04 AM

OK... here's the AVG, Combofix + new HJT reports.

Also wanted to note one other little buggy irritation (since it's abnormal!) the machine *sometimes* self-checks the "Client for NetWare Service" under Wireless Network Connection, 'Properties,' under the 'General' tab, which keeps me from connecting (tho that wasn't the prob tonight). Think it only does so after Shutdown, but not Restart.... Whatever THIS has to do with anything...?!?
Thanks again!
Dawn

BTW, the AVG program files autosave under C:\Program Files\Grisoft\AVG... -- I forgot that I manually change the directory on download on my own computer (to Program Files\AVG) because that always trips me up!! :thumbsup:

-------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:17:50 PM 5/3/2007

+ Scan result:

Nothing found.

::Report end

**********************************************************

"Joseph Scire" - 07-05-04 0:23:45 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Joseph Scire\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))

2007-05-03 22:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-02 18:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-02 18:54 <DIR> d-------- C:\DOCUME~1\JOSEPH~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-02 18:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-02 18:26 <DIR> d-------- C:\Program Files\CCleaner
2007-04-26 15:35 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-04-26 01:47 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-26 01:47 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-26 01:47 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-26 01:47 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-04-24 17:50 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-24 15:57 <DIR> d-------- C:\DOCUME~1\JOSEPH~1\.housecall6.6
2007-04-24 03:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-24 01:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-20 19:16 <DIR> d-------- C:\dads hijack this 4-20
2007-04-20 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-19 21:04 1,339 --a------ C:\WINDOWS\checkip.dat
2007-04-12 09:18 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-07 16:13 <DIR> d-------- C:\DOCUME~1\JOSEPH~1\APPLIC~1\Image Zone Express
2007-04-07 16:01 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-04-07 16:01 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-04-07 16:01 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-04-07 16:01 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-04-07 16:01 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-04-07 16:01 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-04-07 16:00 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-07 15:59 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-04-07 15:58 48,640 --a------ C:\WINDOWS\system32\hpzll4pi.dll
2007-04-07 15:51 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-07 15:51 14,916 --------- C:\WINDOWS\hphmdl12.dat
2007-04-07 15:51 123,996 --a------ C:\WINDOWS\HPHins12.dat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-02 20:59 -------- d-------- C:\Program Files\linksys easylink advisor
2007-05-02 18:47 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-26 01:49 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-22 20:44 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-04-22 18:20 -------- d-------- C:\Program Files\digstream
2007-04-12 09:20 -------- d-------- C:\Program Files\windows media connect 2
2007-04-07 16:03 -------- d-------- C:\Program Files\hp
2007-03-31 16:06 -------- d-------- C:\Program Files\microsoft location finder
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 21:01 -------- d-------- C:\Program Files\rgb
2007-02-25 18:36 0 --a------ C:\DOCUME~1\JOSEPH~1\APPLIC~1\wklnhst.dat
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"QlbCtrl"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,48,65,77,6c,65,\
"Cpqset"="C:\\Program Files\\Hewlett-Packard\\Default Settings\\cpqset.exe"
"RecGuard"="C:\\Windows\\SMINST\\RecGuard.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"EasyLinkAdvisor"="\"C:\\Program Files\\Linksys EasyLink Advisor\\LinksysAgent.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwprovau\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Location Finder"="\"C:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"MsmqIntCert"="regsvr32 /s mqrt.dll"
"nwiz"="nwiz.exe /installquiet /nodetect"
"Reminder"="C:\\Windows\\CREATOR\\Remind_XP.exe"
"Synchronization Manager"="%SystemRoot%\\system32\\mobsync.exe /logon"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HPCeeSchedule.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 00:26:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hZ??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************
Completion time: 07-05-04 0:27:01
C:\ComboFix-quarantined-files.txt ... 07-05-04 00:27

Logfile of HijackThis v1.99.1
Scan saved at 12:29:55 AM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\dads hijack this 4-20\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hpshopping.com/cgi-bin/hpdirect...&aoid=26020
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Virtual Assistant.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177539914269
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:38 AM

Posted 04 May 2007 - 12:14 AM

Hi Dawn,

Your log looks clean. :thumbsup:

Please run Kaspersky Online scanner again and post the log.
Let me know if you need the link.

Edited by SifuMike, 04 May 2007 - 12:15 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 04 May 2007 - 01:22 AM

Well, I WOULD do that but can't.

First, I accidently opened the link for BitDefender and got a window telling me that IE was not the default browser, did I want to make it...blah, blah...yes. Okayyyyyy...

So then I go to Kapersky Labs' www.Kapersky.com/virusscanner where I get the button for the Online Scanner, hit it and the pop-up w/Welcome to the Kapersky Online Scanner screen with Accept/Decline options, which I Accept. (FOUR times now!!)

Then it turns to the Scanner page where I see where it'd initialize then update the database, etc.... except the ActiveX pop-up stops it. ('kavwebscan_unicode.cab' from 'Kapersky Lab')> I click and click "Install ActiveX" and go directly back to the Welcome to the Kapersky Online Scanner screen, only no Accept/Decline options and no other real options. And NOTHING happens. Nothing. Click other places. Nothing under tech support there.....

That pg just tells the benefits of Kapersky AV, the Requirements & limitations:
#1 is having to run it w/Administrator privleges --which was one of the issues.... the machine still insists that I ctrl,alt,del, etc., on startup

When I try changing it via User Accts/Ctrl Panel--no 'Advanced' Tab appears which it's supposed to if I have administrator privleges (which this account IS!!)..... so I can't stop it from doing the ctrl/alt/del thingee...

And the dang auto-clicking is still such a pain, I try to read something in Ctrl Panel, say, and if inadvertently on a link--oops, there goes the page! grrrrrrrrrr! <getting very frustrated> :flowers: + still have my OWN work due tomorrow a.m. I'm trying to get done inbetween.

So... any ideas? :thumbsup:

#13 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 04 May 2007 - 04:00 AM

Found an interesting HP error log when I tried looking further into the User Accts thing (not resolved). Granted, most shows my bf's aggressive computer 'GEO' (directly connected to the fios-which still has some kinks, obviously), but some other errors were enlightening (i.e., W32Time being related to the clock/date issues--tho maybe related to trojan & could be fixed now)

Little over a week's worth of "Advanced System Information - error log"

Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Sunday, April 22, 2007 Service Control Manager The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
Sunday, April 22, 2007 Service Control Manager The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
Sunday, April 22, 2007 Service Control Manager The following boot-start or system-start driver(s) failed to load: AmdK8 Avg7Core Avg7RsW Av g7RsXP Fips
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Sunday, April 22, 2007 Service Control Manager The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
Sunday, April 22, 2007 Service Control Manager The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
Sunday, April 22, 2007 Service Control Manager The following boot-start or system-start driver(s) failed to load: AmdK8 Avg7Core Avg7RsW Av g7RsXP Fips
Sunday, April 22, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Tuesday, April 24, 2007 Service Control Manager Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Tuesday, April 24, 2007 Service Control Manager The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
Tuesday, April 24, 2007 Service Control Manager The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
Tuesday, April 24, 2007 Service Control Manager The following boot-start or system-start driver(s) failed to load: AmdK8 Avg7Core Avg7RsW Av g7RsXP Fips
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Tuesday, April 24, 2007 Service Control Manager The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
Tuesday, April 24, 2007 Service Control Manager The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
Tuesday, April 24, 2007 Service Control Manager The following boot-start or system-start driver(s) failed to load: AmdK8 Avg7Core Avg7RsW Av g7RsXP Fips
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C 000-000000000046}
Tuesday, April 24, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Wednesday, April 25, 2007 Service Control Manager Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
Wednesday, April 25, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Wednesday, April 25, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, April 26, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, April 26, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, April 26, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, April 26, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, April 26, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, April 26, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, April 26, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, April 26, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, April 26, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Thursday, April 26, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Friday, April 27, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Friday, April 27, 2007 Service Control Manager Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
Friday, April 27, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Friday, April 27, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Friday, April 27, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Friday, April 27, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Friday, April 27, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 29 minutes. NtpClient has no source of accurate time.
Saturday, April 28, 2007 ipnathlp The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
Saturday, April 28, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Saturday, April 28, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Saturday, April 28, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Saturday, April 28, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Saturday, April 28, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Saturday, April 28, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Sunday, April 29, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Sunday, April 29, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Sunday, April 29, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Wednesday, May 02, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Wednesday, May 02, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Wednesday, May 02, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Wednesday, May 02, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Wednesday, May 02, 2007 DCOM DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C 000-000000000046}
Wednesday, May 02, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Wednesday, May 02, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Wednesday, May 02, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Wednesday, May 02, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Wednesday, May 02, 2007 Service Control Manager The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
Wednesday, May 02, 2007 Service Control Manager The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
Wednesday, May 02, 2007 Service Control Manager The following boot-start or system-start driver(s) failed to load: AmdK8 Avg7Core Avg7RsW Av g7RsXP Fips SASDIFSV SASKUT IL
Wednesday, May 02, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Wednesday, May 02, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Wednesday, May 02, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Wednesday, May 02, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Wednesday, May 02, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, May 03, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, May 03, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Thursday, May 03, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Thursday, May 03, 2007 W32Time Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Thursday, May 03, 2007 W32Time The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Thursday, May 03, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, May 03, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, May 03, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, May 03, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, May 03, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, May 03, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Thursday, May 03, 2007 MRxSmb The master browser has received a server announcement from the computer GEO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DAE2B50C-269A-4CC 8-A181. The master browser is stopping or an election is being forced.
Thursday, May 03, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Thursday, May 03, 2007 Service Control Manager The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
Thursday, May 03, 2007 Service Control Manager The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
Thursday, May 03, 2007 Service Control Manager The following boot-start or system-start driver(s) failed to load: AmdK8 AVG Anti-Spyware Driver Avg7Core Avg7RsW Avg 7RsXP Fips SASDIFSV SASKUTI L
Thursday, May 03, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Thursday, May 03, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Thursday, May 03, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Thursday, May 03, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service Avg7Alrt with arguments "-Service" in order to run the server: {3486DF65-1D90-406A-A 072-30629910F113}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service Avg7Alrt with arguments "-Service" in order to run the server: {3486DF65-1D90-406A-A 072-30629910F113}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service Avg7Alrt with arguments "-Service" in order to run the server: {3486DF65-1D90-406A-A 072-30629910F113}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-B F92-0060081ED811}
Friday, May 04, 2007 DCOM DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B 726-00C04FB926AF}
Friday, May 04, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Friday, May 04, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Friday, May 04, 2007 Service Control Manager The WebClient service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
Friday, May 04, 2007 Service Control Manager The Remote Registry service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

application errors:
Thursday, January 18, 2007 Applicatio n Error Faulting application space.scr, version 5.1.2600.2180, faulting module space.scr, version 5.1.2600.2180, fault address 0x0001d343.
Thursday, January 18, 2007 Applicatio n Error Fault bucket 143992858.
Thursday, January 18, 2007 DrWatson The application, , generated an application error The error occurred on 01/18/2007 @ 19:41:29.796 The exception generated was c0000005 at address 0101D343 (space)
Thursday, February 22, 2007 Applicatio n Error Faulting application ANIWZCSdS.exe, version 1.0.1.30507, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Friday, February 23, 2007 Applicatio n Error Faulting application ANIWZCSdS.exe, version 1.0.1.30507, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Saturday, March 10, 2007 Applicatio n Error Faulting application ANIWZCSdS.exe, version 1.0.1.30507, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f83.
Monday, March 26, 2007 Applicatio n Error Faulting application ANIWZCSdS.exe, version 1.0.1.30507, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f83.
Thursday, April 12, 2007 Applicatio n Error Faulting application ANIWZCSdS.exe, version 1.0.1.30507, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f83.
Thursday, April 12, 2007 Applicatio n Error Fault bucket 179419358.
Thursday, April 12, 2007 Applicatio n Error Faulting application ANIWZCSdS.exe, version 1.0.1.30507, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f83.
Thursday, April 12, 2007 Applicatio n Error Fault bucket 179419358.
Thursday, April 19, 2007 Applicatio n Error Faulting application setupwizard.exe, version 6.0.0.0, faulting module setupwizard.exe, version 6.0.0.0, fault address 0x000a5ccd.
Thursday, April 19, 2007 DrWatson The application, E:\SetupWizard.exe, generated an application error The error occurred on 04/19/2007 @ 21:21:28.546 The exception generated was c0000005 at address 004A5CCD (SetupWizard)

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:38 AM

Posted 04 May 2007 - 12:06 PM

Hi Dawn,


Then it turns to the Scanner page where I see where it'd initialize then update the database, etc.... except the ActiveX pop-up stops it. ('kavwebscan_unicode.cab' from 'Kapersky Lab')> I click and click "Install ActiveX" and go directly back to the Welcome to the Kapersky Online Scanner screen, only no Accept/Decline options and no other real options. And NOTHING happens. Nothing. Click other places. Nothing under tech support there.....


Sounds like the ActiveX is not installed. :thumbsup: Are you using IE to run Kaspersky?

Test Your ActiveX Installation


If ActiveX is not enabled: See these instructions to enable ActiveX.

.... the machine still insists that I ctrl,alt,del, etc., on startup
When I try changing it via User Accts/Ctrl Panel--no 'Advanced' Tab appears which it's supposed to if I have administrator privleges (which this account IS!!)..... so I can't stop it from doing the ctrl/alt/del thingee...


One odd little thing it does now is requiring Ctrl, Alt, Del be pressed on startup, then another "log-in"-type pop-up comes on, with my dad's name pre-typed in 'username' and password field empty. I just click 'Enter' and Windows comes up fine.



See if this helps : Not Requiring Ctrl-ALT-DEL at logon
http://www.visualwin.com/Disable-C-A-D/



Let's run Microsoft's System File Checker program.

The utility will check the system files and automatically replace any that it finds necessary.

Scannow Tutorial
http://www.updatexp.com/scannow-sfc.html

You may need the Windows Install CD, so have it ready.
Go to Start, then Run,  type sfc /scannow in the run box and press enter.

When it has finished it will close itself.

Note: There is a space between sfc and the forward slash. Windows will ask you for your Windows Install CD so put it in...don't worry if the XP setup screen appears, this is not a part of sfc /scannow, your autorun utility in Windows is starting it. Simply
minimize the screen and allow sfc to continue.

This is really a question for our Windows forum. http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/






Found an interesting HP error log when I tried looking further into the User Accts thing (not resolved). Granted, most shows my bf's aggressive computer 'GEO' (directly connected to the fios-which still has some kinks, obviously), but some other errors were enlightening (i.e., W32Time being related to the clock/date issues--tho maybe related to trojan & could be fixed now)



Sorry, my expertise is malware removal, not printer log problems. Your computer is free of malware as far as I can tell. One of our other forums should be able to help you with this HP error log (or the HP forum).

Edited by SifuMike, 04 May 2007 - 12:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:01:38 PM

Posted 05 May 2007 - 12:26 AM

QUOTE
Then it turns to the Scanner page where I see where it'd initialize then update the database, etc.... except the ActiveX pop-up stops it. ('kavwebscan_unicode.cab' from 'Kapersky Lab')> I click and click "Install ActiveX" and go directly back to the Welcome to the Kapersky Online Scanner screen, only no Accept/Decline options and no other real options. And NOTHING happens. Nothing. Click other places. Nothing under tech support there.....


Sounds like the ActiveX is not installed. Are you using IE to run Kaspersky?


Um, yeah to both:

I click and click "Install ActiveX" ..... And NOTHING happens. Nothing.



and

...got a window telling me that IE was not the default browser, did I want to make it...blah, blah...[b]yes[/b].



IE 7 has always BEEN the browser (see initial system specs).

These are anomalies with the system since removing Agobot & this most recent Trojan that I'm trying to either
a. get back to normal,
or
b. determine if there's still something in here causing this stuff to occur.....

The instructions for ctrl\alt\del on startup was a success! Yay!--thanks :huh:
(altho it's still asking for a login & the control for that isn't enabled so I can't figure why it's still coming up....)

The utility will check the system files and automatically replace any that it finds necessary.

Scannow Tutorial
http://www.updatexp.com/scannow-sfc.html

You may need the Windows Install CD, so have it ready.
Go to Start, then Run, type sfc /scannow in the run box and press enter.


AND..... I fear that running Microsoft's System File Checker program might be an problem since the laptop only came with a software backup on the D: drive -- and it's XP Media Edition or I'd try running my own disc (which is XP Pro)...


QUOTE
Found an interesting HP error log when I tried looking further into the User Accts thing (not resolved). Granted, most shows my bf's aggressive computer 'GEO' (directly connected to the fios-which still has some kinks, obviously), but some other errors were enlightening (i.e., W32Time being related to the clock/date issues--tho maybe related to trojan & could be fixed now)

Sorry, my expertise is malware removal, not printer log problems.



This is a log of the LAPTOP's errors NOT a printer! It's an HP (again, see specs).

The time problem was mentioned in my ORIGINAL post as one of the initial things that flagged us that something was wrong.....Wouldn't this be related [somehow] to whatever got into the laptop?? Didn't having the worm & trojan + whatever else mess up these settings--cuz that's what it seems like?? Does just removing the crapware make the settings return?

All these oddities occurred at around the same time--and THAT's when I found the spy/mal-ware on the computer. I'm trying to get this to work normally again and it's still acting suspicious.

I mean, I'm incredibly grateful that we've gotten this far :thumbsup: , but my dad can't be trusted with his computer--esp with all these errors still occuring and while it's exhibiting some of the same symptoms as when he gave it to me... All I need is him roaming the 'net again and finding out there's still something in there that messed up things even more, or worse{?} some kind of hidden keylogger {?} or something still embedded.... Oy! :flowers:

I'll see what I can find out about the MS scan -- maybe there's a downloadable file on Microsoft or something? But, do you really think whatever else that's left is just Windows (and if so, is it BECAUSE the crapware funked-up the settings?)

Thanks ever so kindly for everything thus far & sorry it's taken so long to answer (been busy w/work all afternoon & evening).
Cheers,
Dawn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users