Jump to content

jimnbarb

Members
  • Posts

    16
  • Joined

  • Last visited

Everything posted by jimnbarb

  1. That's fine with me Jean, I will be rebuilding my machine this weekend. Thanks again for all the help. It sure made the journey less painful. JimnBarb
  2. I do not have any problem with the software you told me to run or your advice. It all seemed relevant, useful and delivered in a timely manner. I have nothing but praise for you. However, its going to be a week before I can bring my machine down for an indeterminate amount of time. Once I do the reformat and put my machine back together I will report back. All passwords to critical information has been changed via another computer. Thanks for the heads up on that as well. Any advice in this endeavor is appreciated. Thanks again, I will post once I am back in shape.
  3. Well that is the worst possible news. Though from looking around this site, it is often the case. Having never done that before, I'm wondering if you know of a good resource to read up on what the steps are for reformatting?
  4. Does that mean my machine is rid of its infection? As far as my machine goes...My machine still seems very sluggish, especially when loading web pages. I also am noticing that the little idiot light that goes off whenever the laptop is doing some "thinking" flashes on and off about once a second. I'm pretty sure (though not 100%) that is wasn't doing that before. Right when this whole thing started my provider (Comcast) blocked my default email port because apparently my machine was spewing email. I can't help but think it might still be trying to do that (though I have no real evidence). Since I do WebDev for a living, being able to refresh web pages quickly is key. Right now its averaging about 1 min per page reload. Any ideas?
  5. Here's the latest HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:40:40 AM, on 4/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BOINC\boincmgr.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\BOINC\boinc.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Cisco Systems\VPN Client\vpngui.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\system32\mdm.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O15 - Trusted Zone: http://www.tdameritrade.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe -- End of file - 8222 bytes
  6. Here is the combofix log: ComboFix 08-04-08.10 - jantonio 2008-04-09 9:31:26.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -7:00] Running from: C:\temp\ComboFix\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 ))))))))))))))))))))))))))))))) . 2008-04-09 09:01 . 2008-04-09 09:01 <DIR> d-------- C:\Program Files\CCleaner 2008-04-09 08:59 . 2008-04-09 09:00 <DIR> d-------- C:\temp\CCleaner 2008-04-08 09:39 . 2008-04-09 09:11 <DIR> d-------- C:\temp\ComboFix 2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java 2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM20 2008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security 2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy 2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo 2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool 2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-23 01:25 . 2008-04-08 10:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes 2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif 2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg 2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg 2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com 2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys 2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime 2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype 2008-03-10 14:56 . 2008-04-09 08:58 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype 2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype 2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll 2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-09 15:32 --------- d-----w C:\Program Files\BOINC 2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix 2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr 2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com 2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib 2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib 2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll 2008-03-23 07:21 10,565 ----a-w C:\WINDOWS\system32\kirini.bat 2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll 2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr 2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server 2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.6 2008-03-08 12:05 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live 2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll 2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys . ((((((((((((((((((((((((((((( snapshot@2008-04-08_ 9.54.01.39 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-07 15:02:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-04-08 23:00:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-04-07 15:02:10 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-04-08 23:00:09 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534] "RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480] HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"= "C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"= "C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11] R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06] S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [] . ************************************************************************** catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-09 09:34:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????=????|?????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\yeyqase] "ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis" . Completion time: 2008-04-09 9:36:18 ComboFix-quarantined-files.txt 2008-04-09 16:36:00 ComboFix2.txt 2008-04-08 16:54:18 Pre-Run: 48,742,395,904 bytes free Post-Run: 48,735,064,064 bytes free . 2008-03-22 19:05:17 --- E O F ---
  7. OK, the file was uploaded to your site: Isn't this file needed for my Visual Studio to continue functioning? VirusTotal scan log follows: File DEVENV.EXE received on 04.09.2008 17:43:15 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/32 (0%) Loading server information... Your file is queued in position: 9. Estimated start time is between 66 and 94 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.4.9.0 2008.04.09 - AntiVir 7.6.0.81 2008.04.09 - Authentium 4.93.8 2008.04.09 - Avast 4.8.1169.0 2008.04.09 - AVG 7.5.0.516 2008.04.09 - BitDefender 7.2 2008.04.09 - CAT-QuickHeal 9.50 2008.04.08 - ClamAV 0.92.1 2008.04.09 - DrWeb 4.44.0.09170 2008.04.09 - eSafe 7.0.15.0 2008.04.09 - eTrust-Vet 31.3.5684 2008.04.09 - Ewido 4.0 2008.04.09 - F-Prot 4.4.2.54 2008.04.08 - F-Secure 6.70.13260.0 2008.04.09 - FileAdvisor 1 2008.04.09 - Fortinet 3.14.0.0 2008.04.09 - Ikarus T3.1.1.26 2008.04.09 - Kaspersky 7.0.0.125 2008.04.09 - McAfee 5269 2008.04.08 - Microsoft 1.3408 2008.04.09 - NOD32v2 3013 2008.04.09 - Norman 5.80.02 2008.04.09 - Panda 9.0.0.4 2008.04.08 - Prevx1 V2 2008.04.09 - Rising 20.39.12.00 2008.04.08 - Sophos 4.28.0 2008.04.09 - Sunbelt 3.0.1032.0 2008.04.08 - Symantec 10 2008.04.09 - TheHacker 6.2.92.269 2008.04.09 - VBA32 3.12.6.4 2008.04.06 - VirusBuster 4.3.26:9 2008.04.08 - Webwasher-Gateway 6.6.2 2008.04.09 - Additional information File size: 264464 bytes MD5...: fd98dc9ba3d3d5690699156d9eab310e SHA1..: 1fe260ae0574e0c4dd9149f640d171e6b98afeea SHA256: f210161162f1b5e744733fa53ea83961b59ce09282694384002b28a6f238cc8c SHA512: e0b214365affee1eeeabd004e6b5f83cd3031c451af2b6f9a1ee0a61d26b1b7b 3800e095ad3c574f84f4710081b3784096a96612e6f4c1c6b69f345c6a3321c3 PEiD..: InstallShield 2000 PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401172 timedatestamp.....: 0x3587655b (Wed Jun 17 06:42:35 1998) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x2eba 0x3000 6.22 c0aea2c0b6bab8a932769f083eeebeeb .data 0x4000 0x250 0x400 0.48 16add10d5629c6961abca98e1bdd858c .rsrc 0x5000 0x3cc68 0x3ce00 4.79 a4c84968e659bf9232ed9a5ba70f440f ( 6 imports ) > KERNEL32.dll: FindResourceA, FreeResource, SizeofResource, LoadResource, lstrlenA, LoadLibraryA, CreateDirectoryA, GetStartupInfoA, GetModuleHandleA, lstrcpyA, lstrcmpA, lstrcatA, IsDBCSLeadByte, GetFileAttributesA, lstrcmpiA, GetProcAddress > USER32.dll: EndPaint, BeginPaint, LoadBitmapA, DefWindowProcA, GetSystemMetrics, SystemParametersInfoA, CharNextA, wsprintfA, LoadStringA, DestroyWindow, MessageBoxA, UpdateWindow, CreateWindowExA, RegisterClassA, ReleaseDC, OffsetRect, InflateRect, DrawTextA, GetDC > GDI32.dll: SelectObject, CreatePalette, SetTextColor, TextOutA, DeleteObject, DeleteDC, GetObjectA, SetBkMode, CreateFontIndirectA, GetTextExtentPoint32A, GetStockObject, Rectangle, SelectPalette, GetDeviceCaps, CreateDIBitmap, SetStretchBltMode, RealizePalette, CreateCompatibleDC, BitBlt > ADVAPI32.dll: RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegOpenKeyExA, RegOpenKeyA, RegQueryValueA, RegCloseKey > SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc > MSVCRT.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, strchr, free, malloc, _controlfp ( 0 exports )
  8. Latest HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:06:02 AM, on 4/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\BOINC\boincmgr.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\BOINC\boinc.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\Program Files\Cisco Systems\VPN Client\vpngui.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\mdm.exe C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O15 - Trusted Zone: http://www.tdameritrade.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe -- End of file - 8263 bytes
  9. Drat, those same 2 files are back again. Here is the latest MB log, HJT log to follow. Malwarebytes' Anti-Malware 1.11 Database version: 600 Scan type: Full Scan (C:\|D:\|) Objects scanned: 144841 Time elapsed: 42 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\TEMP\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\TEMP\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
  10. OK, Combo Fix ran w/o any apparent errors. What next? This is getting kind of fun! Here is the resulting log from the ComboFix exe: ComboFix 08-04-07.5 - jantonio 2008-04-08 9:41:31.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.463 [GMT -7:00] Running from: C:\temp\ComboFix\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\played_list.sol C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\video_queue.sol C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\temp\Temporary Internet Files\aserybyz._dl C:\temp\Temporary Internet Files\puqazuhek.bin C:\WINDOWS\system32\duis.txt C:\WINDOWS\system32\msindc.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 ))))))))))))))))))))))))))))))) . 2008-04-08 09:39 . 2008-04-08 09:39 <DIR> d-------- C:\temp\ComboFix 2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java 2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM20 2008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security 2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy 2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo 2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool 2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-23 01:25 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes 2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif 2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg 2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg 2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com 2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys 2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime 2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype 2008-03-10 14:56 . 2008-04-08 09:34 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype 2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype 2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll 2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys 2008-03-08 05:06 . 2008-03-08 05:06 <DIR> d-------- C:\WINDOWS\SQLTools9_KB932557_ENU 2008-03-08 05:05 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-08 16:49 --------- d-----w C:\Program Files\BOINC 2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix 2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr 2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com 2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib 2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib 2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll 2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll 2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr 2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server 2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.6 2008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live 2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534] "RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480] HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"= "C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"= "C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11] R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06] S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [] . ************************************************************************** catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-08 09:49:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????>????|?????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yeyqase] "ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\BOINC\boinc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-04-08 9:54:18 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-08 16:54:14 Pre-Run: 47,158,390,784 bytes free Post-Run: 47,158,026,240 bytes free . 2008-03-22 19:05:17 --- E O F ---
  11. Here is my latest HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:38:41 AM, on 4/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\BOINC\boincmgr.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\BOINC\boinc.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\mdm.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\Program Files\Cisco Systems\VPN Client\vpngui.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O15 - Trusted Zone: http://www.tdameritrade.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe -- End of file - 7799 bytes
  12. I had a question. You said to run Hijack this and put check marks next to certain items. Do I do anything after that point, like run "Fix Check" or something? or do I just produce another log?
  13. OK, Hopefully this one is better. As far as BitTorrent goes, I uninstalled that prgram months ago. There isn't a folder in my programs called that. WinReanimator is very recent and IMHO, the source of my agony. I don't recall ever installing that, though I did uninstall it last week when I discovered it. It doesn't exist in the file structure as far as I can tell. These guys: HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized must be coming from my registry right? Should I go in and delete those entries? In any case here is my new HJT log. Thanks for the quick reply. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:34:43 AM, on 4/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\BOINC\boincmgr.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\BOINC\boinc.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\mdm.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\WINDOWS\system32\sol.exe C:\Program Files\Cisco Systems\VPN Client\vpngui.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\DEVENV.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O15 - Trusted Zone: http://www.tdameritrade.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72 O20 - AppInit_DLLs: cru629.dat O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe -- End of file - 8260 bytes
  14. Here's my Panda scan. Any help you could give me on this would be appreciated. It is driving me insane. ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-04-07 10:39:02 PROTECTIONS: 0 MALWARE: 84 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@trafficmp[2].txt 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@trafficmp[1].txt 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@trafficmp[1].txt 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@casalemedia[1].txt 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@casalemedia[1].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@doubleclick[1].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@doubleclick[1].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@doubleclick[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.atdmt.com/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@atdmt[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atdmt[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.atdmt.com/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atdmt[2].txt 00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tradedoubler[1].txt 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.247realmedia.com/] 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@247realmedia[1].txt 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@247realmedia[1].txt 00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bfast[2].txt 00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@bfast[2].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@fastclick[2].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@fastclick[2].txt 00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@servedby.advertising[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@tribalfusion[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tribalfusion[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@tribalfusion[2].txt 00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-eu.falkag[2].txt 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@mediaplex[1].txt 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@mediaplex[2].txt 00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@linksynergy[2].txt 00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@anm.co[1].txt 00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@entrepreneur[2].txt 00149002 Cookie/Peel TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@peel[2].txt 00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@maxserving[1].txt 00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@belnk[1].txt 00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@belnk[1].txt 00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.belnk.com/] 00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@revenue[2].txt 00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@revenue[2].txt 00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@findwhat[1].txt 00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@dist.belnk[2].txt 00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@dist.belnk[2].txt 00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.myaffiliateprogram[1].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@com[1].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@com[1].txt 00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@yadro[2].txt 00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@webpower[2].txt 00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xiti[1].txt 00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@hotlog[1].txt 00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@z1.adserver[1].txt 00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@azjmp[2].txt 00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@toplist[1].txt 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@statcounter[1].txt 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statcounter[2].txt 00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@counter.hitslink[2].txt 00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@perf.overture[1].txt 00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@perf.overture[1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ad.yieldmanager[2].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ad.yieldmanager[2].txt 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@apmebf[2].txt 00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@burstnet[2].txt 00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@burstnet[2].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@serving-sys[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bs.serving-sys[1].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bs.serving-sys[1].txt 00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@www.burstbeacon[1].txt 00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.burstbeacon[1].txt 00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@www.burstbeacon[2].txt 00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-us.falkag[1].txt 00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as1.falkag[2].txt 00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@weborama[2].txt 00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adtech[1].txt 00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adtech[1].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@server.iad.liveperson[2].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@server.iad.liveperson[2].txt 00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@stat.onestat[1].txt 00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@fl01.ct2.comclick[2].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@advertising[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advertising[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@advertising[2].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/] 00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[1].txt 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statse.webtrendslive[2].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.pointroll[2].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.pointroll[1].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@overture[1].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@overture[2].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/] 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/] 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/] 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@realmedia[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@realmedia[2].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@realmedia[2].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@questionmarket[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@questionmarket[2].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@questionmarket[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.questionmarket.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@zedo[1].txt 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bluestreak[2].txt 00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xxxcounter[2].txt 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[2].txt 00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bravenet[1].txt 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adultfriendfinder[2].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@go[1].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@go[1].txt 00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@valueclick[2].txt 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@searchportal.information[1].txt 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@searchportal.information[2].txt 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@searchportal.information[1].txt 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@target[1].txt 00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ct.360i[1].txt 00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www2.addfreestats[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atwola[2].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atwola[1].txt 00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www6.addfreestats[1].txt 00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ehg-dig.hitbox[2].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.addynamix[2].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ads.addynamix[1].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.addynamix[1].txt 00515709 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[VaaaaaaaBaa.class] 00515710 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[baaaaa.class] 00515711 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[baaaaBaa.class] 00516819 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dex.class] 00516820 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dvnny.class] 00516821 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dux.class] 00516823 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dix.class] 01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe 01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi[unk_0029] 01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adserver.easyad[1].txt 02763634 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[VaannnaaBaa.class] 02763635 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[bnnnnn.class] 02763636 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[bnnnnBaa.class] 02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advancedcleaner[2].txt 02908018 Cookie/WinReanimator TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@winreanimator[2].txt 02908359 Trj/Cimuz.KK Virus/Trojan No 1 Yes No C:\WINDOWS\system32\msindc.dll ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================ = =================== 108742 MEDIUM MS06-006 ;=============================================================================== ================================================================================ = ===================
  15. Here is the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:01:51 AM, on 4/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\BOINC\boincmgr.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\BOINC\boinc.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\mdm.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr? TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O15 - Trusted Zone: http://www.tdameritrade.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab O20 - AppInit_DLLs: cru629.dat O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32 \IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe -- End of file - 7453 bytes
  16. Hello, This infection just won't go away. Panda and HiJack this logs to follow. As per the instructions here is my MB Log: Malwarebytes' Anti-Malware 1.10 Database version: 597 Scan type: Full Scan (C:\|D:\|) Objects scanned: 155728 Time elapsed: 44 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.