Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Livewinupdates Redirect At First...


  • This topic is locked This topic is locked
15 replies to this topic

#1 Charger

Charger

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 17 May 2007 - 10:05 PM

A couple days ago my virus scanner Avast found alerted me to several viruses or trojans that it detected, one after another when attempting to quarantine, until my computer crashed after the wallpaper was removed and left red. I started getting the fake warning messages about attempted hijacking that I believe directs me to livewinupdates com. I ran Ad-Aware after that, I think because Avast crashed, then I ran Avast successfully i think, then did some searching on some processes and manually deleted several that were known threats.

I thought I had everything taken care of when Ad-Aware and Avast were showing no threats and things looked normal, but as I started doing my normal things again, I'd get errors or crashes pretty frequently. Also, when navigating through my files, my browser would involuntarily load and go to that livewinupdates site.

I've gone through all the steps listed at this site before posting a hijackthis log to the best of my ability. There were certain limitations, such as a scanner not being able to delete a file, and Ad-Aware crashed my computer the last 2 times I tried to use it so I had to skip that.

I'm fearing the worst, thinking maybe something is too infected or I've deleted something I wasn't supposed to. I've had this notebook for 2 years and it's only crashed a few times. I've had very little (known) trouble with viruses and such.

Hoping for some sweet relief.

*******


Logfile of HijackThis v1.99.1
Scan saved at 9:53:06 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\ST\Drv\saicnfig.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [CalcHash] C:\WINDOWS\system32\calchash.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\Software\..\Telephony: DomainName = DAKATAK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DAKATAK
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 18 May 2007 - 07:02 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Charger :thumbsup:

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

********************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


********************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 Charger

Charger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 18 May 2007 - 02:21 PM

Thanks for the response and welcome. :thumbsup:

I know this is gonna slow me down, but I want to make sure I get this done right since you've taken the time to help me.

The text at the end of the SDFix process tells me to run catchme.exe after finishing, but you never mentioned that. Should I go ahead and run this?

Edited by Charger, 18 May 2007 - 02:22 PM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 18 May 2007 - 03:08 PM

The text at the end of the SDFix process tells me to run catchme.exe after finishing, but you never mentioned that. Should I go ahead and run this?

No,just follow all the rest of the instructions please :thumbsup:
Posted Image
Posted Image

#5 Charger

Charger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 18 May 2007 - 04:13 PM

I had a couple issues but was still able to complete all the scans.

ComboFix gave me some warnings.
"Unable to create a backup of the current registry file c:\WINDOWS\Temp\1847.tmp ! Continue restoration of this file?"

I wasn't sure what to click, I clicked Yes, which was followed by this:
" Error restoring c:\WINDOWS\erdnt\subs\18467.tmp to c:\WINDOWS\Temp\18467.tmp ! Continue with next file?"
Again I clicked Yes.

The next problem was that it sat at the 'Let Combofix reboot your computer' screen, with a blinking cursor, for about 5 minutes. I couldn't see or hear anything working so ended up doing a hard reset. When Windows loaded back up it ran something with 3M in the title, and created the log which I've posted with the others below.


SDFix

SDFix: Version 1.84

Run by David Kirkpatrick - Fri 05/18/2007 - 13:47:26.56

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\pee.exe.exe - Deleted
C:\WINDOWS\system32\sams.exe.exe - Deleted
C:\WINDOWS\system32\ipv6mons.dll - Deleted
C:\WINDOWS\system32\vexg4am1et2.exe - Deleted
C:\WINDOWS\system32\vexg6ame4.exe - Deleted
C:\WINDOWS\system32\vexga4m1et4.exe - Deleted
C:\WINDOWS\system32\vexga5me3.exe - Deleted
C:\WINDOWS\system32\vexga8me6.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted

Could Not Remove C:\WINDOWS\services.dll


Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"


Remaining Files:
---------------
C:\WINDOWS\services.dll Found

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\david's other\special stash\special stash level two\Rachel Rotten\Schoolbuschicks.com -Rachel Rotten\Thumbs.db
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\WINDOWS\system32\avisynth.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\Smab.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\x2.64.exe
C:\WINDOWS\system32\x.264.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BITB.tmp

Finished



ComboFix

"David Kirkpatrick" - 2007-05-18 15:14:21 Service Pack 2
ComboFix 07-05.18.1.V - Running from: "C:\Documents and Settings\David Kirkpatrick\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\764.exe
C:\WINDOWS\iexplore.dll
C:\WINDOWS\services.dll
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32.dll


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINCOM32


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


2007-05-17 15:49 <DIR> d-------- C:\DOCUME~1\DAVIDK~1\.housecall6.6
2007-05-17 15:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-17 01:10 133,162 --a------ C:\WINDOWS\system32\alt.exe
2007-05-17 00:20 2,552 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-16 16:08 133,162 --a------ C:\WINDOWS\system32\sams.exe
2007-05-16 16:05 44,032 --a------ C:\WINDOWS\msnfo32s.exe
2007-05-16 06:21 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-05-16 06:16 21,476 --a------ C:\WINDOWS\system32\calchash.exe
2007-05-16 06:14 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-16 06:14 12 --a------ C:\WINDOWS\system32\sl.bin
2007-05-16 06:14 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-16 06:13 75,264 --a------ C:\WINDOWS\installer.exe
2007-05-16 06:13 32,512 --a------ C:\WINDOWS\system32\wml.exe
2007-05-16 06:13 30,208 --a------ C:\WINDOWS\flt.dll
2007-05-16 06:13 28,928 --a------ C:\WINDOWS\bokja.exe
2007-05-16 06:13 27,136 --a------ C:\WINDOWS\7search.dll
2007-05-16 06:13 26,624 --a------ C:\WINDOWS\vxddsk.exe
2007-05-16 06:13 25,344 --a------ C:\WINDOWS\mspphe.dll
2007-05-16 06:13 24,832 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-05-16 06:13 24,576 --a------ C:\WINDOWS\updatetc.exe
2007-05-16 06:13 24,576 --a------ C:\WINDOWS\180ax.exe
2007-05-16 06:13 23,808 --a------ C:\WINDOWS\voiceip.dll
2007-05-16 06:13 21,504 --------- C:\WINDOWS\system32\msdn_lib.dll
2007-05-16 06:13 20,992 --a------ C:\WINDOWS\saiemod.dll
2007-05-16 06:13 20,480 --a------ C:\WINDOWS\satmat.exe
2007-05-16 06:13 20,224 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-05-16 06:13 18,944 --a------ C:\WINDOWS\salm.exe
2007-05-16 06:13 16,128 --a------ C:\WINDOWS\cdsm32.dll
2007-05-16 06:13 15,872 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-05-16 06:13 13,312 --a------ C:\WINDOWS\stcloader.exe
2007-05-16 06:13 12,544 --a------ C:\WINDOWS\pbar.dll
2007-05-16 06:13 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-05-16 06:13 11,520 --a------ C:\WINDOWS\wml.exe
2007-05-16 06:13 10,496 --a------ C:\WINDOWS\bjam.dll
2007-05-16 06:12 82,438 --a------ C:\WINDOWS\system32\msorcl32.exe
2007-05-16 06:12 5,120 --a------ C:\WINDOWS\drv.sys
2007-05-16 06:12 16,896 --a------ C:\WINDOWS\snownoit.exe
2007-05-13 01:01 268 --a------ C:\WINDOWS\system32\PDPCustomPaper.dat
2007-05-13 00:56 98,304 --a------ C:\WINDOWS\system32\CTPDPSTR.dll
2007-05-13 00:56 81,920 --a------ C:\WINDOWS\system32\CTLayout.dll
2007-05-13 00:56 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-05-13 00:56 77,824 --a------ C:\WINDOWS\system32\CT53Lay.dll
2007-05-13 00:56 73,728 --a------ C:\WINDOWS\system32\CT53mdm.dll
2007-05-13 00:56 696,320 --a------ C:\WINDOWS\system32\CT53RES.DLL
2007-05-13 00:56 65,536 --a------ C:\WINDOWS\system32\CTPDPMON.DLL
2007-05-13 00:56 57,344 --a------ C:\WINDOWS\system32\CT53papr.dll
2007-05-13 00:56 57,344 --a------ C:\WINDOWS\system32\CT53mnt.dll
2007-05-13 00:56 45,056 --a------ C:\WINDOWS\system32\CTPDPUI.EXE
2007-05-13 00:56 406,528 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-05-13 00:56 40,960 --a------ C:\WINDOWS\system32\CT53sts.dll
2007-05-13 00:56 37,376 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-05-13 00:56 36,864 --a------ C:\WINDOWS\system32\CTGetSt.dll
2007-05-13 00:56 344,064 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-05-13 00:56 33,280 --a------ C:\WINDOWS\system32\lfpcx12n.dll
2007-05-13 00:56 32,256 --a------ C:\WINDOWS\system32\lflmb12n.dll
2007-05-13 00:56 3,932 --a------ C:\WINDOWS\system32\CTLayout.dat
2007-05-13 00:56 28,672 --a------ C:\WINDOWS\system32\CT53qlty.dll
2007-05-13 00:56 278,528 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-05-13 00:56 166,400 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-05-13 00:56 161,280 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-05-13 00:56 143,360 --a------ C:\WINDOWS\system32\CT53ShEx.dll
2007-05-13 00:56 14,628 --a------ C:\WINDOWS\system32\CT53usb.dll
2007-05-13 00:56 127,488 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-05-13 00:56 109,568 --a------ C:\WINDOWS\system32\lfjbg12n.dll
2007-05-13 00:56 106,496 --a------ C:\WINDOWS\system32\CTInkUtl.dll
2007-05-13 00:56 1,044,480 --a------ C:\WINDOWS\system32\Roboex32.dll
2007-05-13 00:56 <DIR> d-------- C:\WINDOWS\system32\drivers\OEMUSB
2007-05-13 00:56 <DIR> d-------- C:\WINDOWS\system32\CTStatus
2007-05-13 00:56 <DIR> d-------- C:\WINDOWS\system32\color
2007-05-13 00:56 <DIR> d-------- C:\Program Files\Compaq A3000
2007-05-12 18:24 3,072 -ra------ C:\WINDOWS\system32\coskdm.dll
2007-05-07 03:32 <DIR> d-------- C:\DOCUME~1\DAVIDK~1\APPLIC~1\acccore
2007-05-07 03:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-05-07 03:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-05-07 03:31 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-05-07 03:31 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-05-07 03:31 <DIR> d-------- C:\Program Files\AIM6
2007-05-07 03:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-04-28 22:05 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-04-28 22:05 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-04-28 22:05 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-04-28 22:05 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-04-28 22:05 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-04-28 22:05 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-04-28 22:05 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-04-28 22:05 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-04-28 22:05 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-04-28 22:05 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-04-28 22:05 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-04-28 22:05 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-04-28 22:05 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-04-28 22:05 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-04-28 22:05 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-04-28 22:05 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-04-28 22:04 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2007-04-28 22:04 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-04-28 22:04 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-04-28 22:04 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2007-04-28 22:04 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-04-28 22:04 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-04-28 22:04 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-04-28 22:04 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-04-28 22:04 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-04-28 22:00 <DIR> d-------- C:\Program Files\TVAnts
2007-04-28 21:55 <DIR> d-------- C:\DOCUME~1\DAVIDK~1\APPLIC~1\TVU Networks
2007-04-28 21:47 <DIR> d-------- C:\Program Files\TVUPlayer
2007-04-28 15:50 <DIR> d-------- C:\Program Files\FLAC
2007-04-21 18:49 <DIR> d-------- C:\Program Files\SopCast
2007-04-21 18:49 <DIR> d-------- C:\DOCUME~1\DAVIDK~1\APPLIC~1\SopCast


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-17 06:10:40 152,192 ----a-w C:\WINDOWS\system32\windev-7494-719d.sys
2007-05-16 10:16:20 -------- d-----w C:\DOCUME~1\DAVIDK~1\APPLIC~1\Azureus
2007-05-16 00:12:40 -------- d-----w C:\Program Files\Winamp
2007-05-15 10:19:36 5 ----a-w C:\WINDOWS\system32\SySVid.dat
2007-05-13 05:56:46 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-07 18:34:34 -------- d-----w C:\Program Files\AIM
2007-05-07 09:07:37 -------- d-----w C:\Program Files\AOD
2007-05-07 08:30:51 335 ----a-w C:\WINDOWS\nsreg.dat
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-03-30 05:49:37 -------- d-----w C:\Program Files\Games
2007-03-30 03:10:15 -------- d-----w C:\Program Files\Broadcom
2007-03-30 03:09:03 -------- d-----w C:\Program Files\DIFX
2007-03-30 03:07:11 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-03-30 03:05:20 -------- d-----w C:\Program Files\Hewlett-Packard
2007-03-30 03:02:44 -------- d-----w C:\Program Files\InterVideo
2007-03-30 03:02:14 -------- d-----w C:\Program Files\SP31763
2007-03-30 02:53:43 -------- d-----w C:\Program Files\HPQ
2007-03-30 02:37:58 -------- d-----w C:\Program Files\Hp
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-10 05:52:56 -------- d-----w C:\Program Files\SuperAudiotool
2007-03-10 05:52:21 3,082 ----a-w C:\WINDOWS\system32\affv11300p4now.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7C2F2C76-1489-450D-B8FB-0B9692D788F9}=C:\WINDOWS\system32\msdn_lib.dll [2007-05-16 06:13]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-07-28 19:26]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 17:07]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 09:32]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"SAITEKAUTOCONFIGURE"="C:\Program Files\Saitek\ST\Drv\saicnfig.exe" []
"Wallpaper"="" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 16:47]
"CalcHash"="C:\WINDOWS\system32\calchash.exe" [2007-05-16 06:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2005-12-09 21:29:00 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-18 15:26:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?8?4?5??????? ???B?????????????hLC? ??????

scanning hidden files ...

C:\SYSTEM.SAV\info.bom 16384 bytes
C:\SYSTEM.SAV\INFO.US 4096 bytes
C:\SYSTEM.SAV\Logs
C:\SYSTEM.SAV\Logs\Cia.ini 151552 bytes
C:\SYSTEM.SAV\Logs\Info.bom 16384 bytes
C:\SYSTEM.SAV\Logs\Install.log 364544 bytes
C:\SYSTEM.SAV\Logs\Preinchk.log 4096 bytes
C:\SYSTEM.SAV\Logs\Sysinfo.log 294912 bytes
C:\SYSTEM.SAV\Logs\UIADUMP.EUE 4096 bytes
C:\SYSTEM.SAV\Logs\UIADUMP.FPP 4096 bytes
C:\SYSTEM.SAV\mszone.log 16384 bytes
C:\SYSTEM.SAV\PREINCHK.log 4096 bytes
C:\SYSTEM.SAV\REBOOT.ME 48 bytes
C:\SYSTEM.SAV\REGFLUSH.LOG 4096 bytes
C:\SYSTEM.SAV\RmDev.log 20480 bytes
C:\SYSTEM.SAV\SYSINFO.LOG 294912 bytes
C:\SYSTEM.SAV\SysInfo.US 294912 bytes
C:\SYSTEM.SAV\UTIL
C:\SYSTEM.SAV\UTIL\31899007.CVA 4096 bytes
C:\SYSTEM.SAV\UTIL\318990B2.CVA 4096 bytes
C:\SYSTEM.SAV\UTIL\BOOTSEC.NT4 512 bytes
C:\SYSTEM.SAV\UTIL\BrandIt.Log 8192 bytes
C:\SYSTEM.SAV\UTIL\CHKIMAGE.exe 126976 bytes
C:\SYSTEM.SAV\UTIL\CIA.CDC 65536 bytes
C:\SYSTEM.SAV\UTIL\CIA.INI 77824 bytes
C:\SYSTEM.SAV\UTIL\cpqci.dll 122880 bytes
C:\SYSTEM.SAV\UTIL\cvacompg.exe 118784 bytes
C:\SYSTEM.SAV\UTIL\cvacompg.tmp 168 bytes
C:\SYSTEM.SAV\UTIL\DelDir.exe 36864 bytes
C:\SYSTEM.SAV\UTIL\delmodem.ini 184 bytes
C:\SYSTEM.SAV\UTIL\DETECTOS.INI 408 bytes
C:\SYSTEM.SAV\UTIL\DNSP1.LOG 16384 bytes
C:\SYSTEM.SAV\UTIL\EISDTICON.log 32 bytes
C:\SYSTEM.SAV\UTIL\EVENTDEL.VBS 208 bytes
C:\SYSTEM.SAV\UTIL\FB_EIS.log 32 bytes
C:\SYSTEM.SAV\UTIL\hpqnt.dll 77824 bytes
C:\SYSTEM.SAV\UTIL\INSTALL.LOG 368640 bytes
C:\SYSTEM.SAV\UTIL\ISLOGCHK.EXE 110592 bytes
C:\SYSTEM.SAV\UTIL\ISLOGCHK.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\PININST.EXE 110592 bytes
C:\SYSTEM.SAV\UTIL\PININST.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\PININST.LOG 4096 bytes
C:\SYSTEM.SAV\UTIL\POSTOOBE.LOG 24 bytes
C:\SYSTEM.SAV\UTIL\postproc.ini 520 bytes
C:\SYSTEM.SAV\UTIL\powerset.log 88 bytes
C:\SYSTEM.SAV\UTIL\PREINCHK.BAT 216 bytes
C:\SYSTEM.SAV\UTIL\PREINFO.INI 216 bytes
C:\SYSTEM.SAV\UTIL\PREINFO2.EXE 86016 bytes
C:\SYSTEM.SAV\UTIL\qlb.log 176 bytes
C:\SYSTEM.SAV\UTIL\random.ini 40 bytes
C:\SYSTEM.SAV\UTIL\REGDEV.EXE 106496 bytes
C:\SYSTEM.SAV\UTIL\REGDEV.INI 560 bytes
C:\SYSTEM.SAV\UTIL\SEDCVA.bat 112 bytes
C:\SYSTEM.SAV\UTIL\setup.log 168 bytes
C:\SYSTEM.SAV\UTIL\SWSET_B.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\touchpad.log 192 bytes
C:\SYSTEM.SAV\UTIL\WINDVD.LOG 168 bytes
C:\SYSTEM.SAV\UTIL\wlassistant.log 176 bytes

scan completed successfully
hidden files: 58


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\xpdt]
"ImagePath"="\??\C:\WINDOWS\system32:xpdt.sys"

Completion time: 2007-05-18 15:29:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-18 15:29


--- E O F ---

SmitFraudFix

SmitFraudFix v2.183

Scan done at 15:35:35.01, Fri 05/18/2007
Run from C:\Documents and Settings\David Kirkpatrick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\David Kirkpatrick


C:\Documents and Settings\David Kirkpatrick\Application Data


Start Menu


C:\DOCUME~1\DAVIDK~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32



DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 24.93.41.125
DNS Server Search Order: 24.93.41.126

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E572335-034A-4EC3-9D40-0BAD350E5E9A}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9E572335-034A-4EC3-9D40-0BAD350E5E9A}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9E572335-034A-4EC3-9D40-0BAD350E5E9A}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126


Scanning for wininet.dll infection


End

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 3:40:30 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\ST\Drv\saicnfig.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [CalcHash] C:\WINDOWS\system32\calchash.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\Software\..\Telephony: DomainName = DAKATAK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DAKATAK
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Charger, 18 May 2007 - 04:18 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 23 May 2007 - 05:21 PM

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\alt.exe
C:\WINDOWS\system32\calchash.exe
C:\WINDOWS\system32\sams.exe
C:\WINDOWS\msnfo32s.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\installer.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\updatetc.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\satmat.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\salm.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\wml.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\system32\msorcl32.exe
C:\WINDOWS\snownoit.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

*********************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [CalcHash] C:\WINDOWS\system32\calchash.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

********************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.


Post the contents of the BitDefender Online Scanner log,the AVG Anti Spyware report,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#7 Charger

Charger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 24 May 2007 - 10:20 PM

Sorry I couldn't reply sooner. I had a few crashes and other business to take care of. :thumbsup:

OTMoveIt gave me some messages on the .dll files of the list I copied, saying they weren't valid images. I wrote the filenames down, checked back with the list, and it looks like the only .dll that it didn't object to was "msdn_lib". No problem with the other file types.


AVG

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:42:17 AM 5/24/2007

+ Scan result:



HKU\S-1-5-21-141821237-1654848454-2035675051-1006\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-141821237-1654848454-2035675051-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\services.dll.vir -> Downloader.Agent.bhg : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/movedfile.ren -> Downloader.Agent.bhg : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/services.dll -> Downloader.Agent.bhg : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexga5me3.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\msdn_lib.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\msorcl32.exe -> Not-A-Virus.Hoax.Win32.Renos.fn : Cleaned with backup (quarantined).
C:\WINDOWS\drv.sys -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexga4m1et4.exe -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\msnfo32s.exe -> Proxy.Agent.mm : Cleaned with backup (quarantined).
C:\Program Files\Outlook Express\temp.exe -> Proxy.Ranky.fx : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\calchash.exe -> Proxy.Ranky.fx : Cleaned with backup (quarantined).
C:\Documents and Settings\David Kirkpatrick\Cookies\david_kirkpatrick@www.paypal[2].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\David Kirkpatrick\Cookies\david_kirkpatrick@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\David Kirkpatrick\Cookies\david_kirkpatrick@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\_OTMoveIt\MovedFiles\WINDOWS\snownoit.exe -> Trojan.LdPinch.bta : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/wincom32.sys -> Trojan.Tibs.w : Cleaned with backup (quarantined).
C:\WINDOWS\system32\windev-7494-719d.sys -> Trojan.Tibs.w : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/pee.exe.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/sams.exe.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexg4am1et2.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\alt.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\sams.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexg6ame4.exe -> Worm.Zhelatin.dy : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexga8me6.exe -> Worm.Zhelatin.dy : Cleaned with backup (quarantined).


::Report end

BitDefender



BitDefender Online Scanner







Scan report generated at: Thu, May 24, 2007 - 14:26:49









Scan path: C:\;D:\;E:\;















Statistics

Time


01:42:42

Files


723601

Folders


7923

Boot Sectors


2

Archives


9584

Packed Files


68706







Results

Identified Viruses


3

Infected Files


24

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


24







Engines Info

Virus Definitions


508260

Engine build


AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dvnny.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dvnny.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dvnny.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Infected with: Java.Trojan.Exploit.Bytverify.I

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dix.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dix.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dix.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dux.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dux.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)=>Dux.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\3e5f2129-1f0a28e3.bac_a02588


Update failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dvnny.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dvnny.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dvnny.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Infected with: Java.Trojan.Exploit.Bytverify.I

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dix.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dix.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dix.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dux.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dux.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)=>Dux.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\56fb8e4b-5b8830b7.bac_a02588


Update failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dvnny.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dvnny.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dvnny.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Infected with: Java.Trojan.Exploit.Bytverify.I

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dix.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dix.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dix.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dux.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dux.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)=>Dux.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-1e0944b3-2483b32b.zip.bac_a02588


Update failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>BaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>VaaaaaaaBaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dvnny.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dvnny.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dvnny.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Infected with: Java.Trojan.Exploit.Bytverify.I

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Baaaaa.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dix.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dix.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dix.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dux.class


Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dux.class


Disinfection failed

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)=>Dux.class


Deleted

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588=>(Quarantine-4)


Updated

C:\Documents and Settings\David Kirkpatrick\.housecall6.6\Quarantine\crtdcghcn.jar-725710db-18755492.zip.bac_a02588


Update failed


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 2:32:00 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\ST\Drv\saicnfig.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\Software\..\Telephony: DomainName = DAKATAK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DAKATAK
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

------------------------------------------------------

HOW MY COMPUTER IS RUNNING NOW:

I don't seem to have the livewinupdate redirect problem anymore.

No virus messages popping up on the task bar.

IE seems to work fine. It did crash at the very end of the BitDefender scan for some reason and I had to scan the whole thing again to get a log.

No more blank folders or crashing while browsing my files.

I ran some games, the work fine. Opened WMP, and I'm not sure if it's related to anything or worth adressing here, but it took 5-10 seonds when I double clicked on the screen for it to go to fullscreen. Usually it's instant.

An aggravating problem now is crashing after my computer tries to come back out of standby, or if it tries to enter hibernation. It gives me a blue screen saying "DRIVER_IRQL_NOT_LESS_OR_EQUAL", with suggestions and then long sets of numbers near the bottom. The screen only stays on for a couple seconds before the computer restarts. This problem started sometime after the initial infection came to my attention.

Lastly, and I don't know it this is related since it started a couple days before the infection warning, my power supply and audio icons aren't loading on startup anymore. I have to go in manually uncheck then check again the 'always show icon' boxes for these.

Edited by Charger, 24 May 2007 - 10:22 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 25 May 2007 - 03:15 AM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
Exit Hijackthis.

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

************************************

Download AVG Anti-Rootkit and save to your desktop
1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

Also post a new Hijackthis log please.
Let me know whats happening now.

Posted Image
Posted Image

#9 Charger

Charger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 25 May 2007 - 12:29 PM

DrWeb CureIt

Process.exe;C:\Documents and Settings\David Kirkpatrick\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\David Kirkpatrick\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\Documents and Settings\David Kirkpatrick\My Documents\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\David Kirkpatrick\My Documents\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;


AVG Anti-Rootkit

C:\WINDOWS\system32:xpdt.sys,Hidden driver file


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 11:47:23 AM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\ST\Drv\saicnfig.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\Software\..\Telephony: DomainName = DAKATAK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DAKATAK
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

------------------------------------------------------------------------

Anti-Rootkit said it successfully deleted the rootkit when I restarted.

I did get a message after bootup that Windows recovered from a serious error. It's been happening every so often while I've been dealing with this stuff, and it happened once about a month ago. But with these that have popped up in the last week, I close one and then another pops up. I looked at the error contents and they all display a similar pair files. Here's the first one:

C:\DOCUME~1\DAVIDK~1\LOCALS~1\Temp\WERf9b6.dir00\Mini052307-03.dmp
C:\DOCUME~1\DAVIDK~1\LOCALS~1\Temp\WERf9b6.dir00\sysdata.xml

Power and Audio icons loaded during that same bootup I believe. But when testing it with another restart, they did not.

Standby and Hibernation work fine now! :thumbsup:


I also thought I might mention that I still have System Restore turned off, as I was originally prompted to do so either in the preparatory steps for creating this thread or by one of the programs I ran.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 25 May 2007 - 01:52 PM

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following commands pressing Enter after each one.

SC STOP SymWSC
SC DELETE SymWSC


Then type EXIT then press Enter.
Restart your pc.

Find and delete:
C:\Program Files\Common Files\Symantec Shared

Restart your pc.
Post a new Hijackthis log in your next reply.
Let me know how its running now.

Posted Image
Posted Image

#11 Charger

Charger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 25 May 2007 - 03:07 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:46:57 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\ST\Drv\saicnfig.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\Software\..\Telephony: DomainName = DAKATAK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DAKATAK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DAKATAK
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--------------------------------------------

Power and Audio icons still fail to load at start up.

I restarted I think 4 times and I haven't had the serious error message.


Everything else seems to be okay.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 25 May 2007 - 04:15 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
SDFix.exe
Combofix
SmitfraudFix
OTMoveIt

C:\SDFix
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Power and Audio icons still fail to load at start up.

I suggest you seek help here for the above problem:
Windows XP Home and Professional:
http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/
Posted Image
Posted Image

#13 Charger

Charger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 25 May 2007 - 04:42 PM

Sweet. I truly appreciate all the help you've given me. It takes a special kind of person to do this stuff. Good work. :thumbsup:

Slight problem though.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.


I'm not given those options. When I click on 'Start/All Programs/Accessories/System Tools/System Restore' a window pops up and asks me if I want to turn system restore on. I click yes and it opens up the properties with the System Restore tab selected. I can uncheck 'Turn off System Restore' and I can change the space dedicated to it. It also says the status of my C drive, which is 'turned off'. That's it.


If I click no in the original popup it just disappears and takes no action. Sorry if I'm missing the obvious.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 25 May 2007 - 04:47 PM

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.
:thumbsup:
Posted Image
Posted Image

#15 Charger

Charger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:44 AM

Posted 25 May 2007 - 05:03 PM

Alright. All done. Thanks again for the help. I'll definitely do what I can to be safer now, and I'll definitely be sticking around this forum for awhile. Keep up the good work.

Edited by Charger, 25 May 2007 - 05:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users