Jump to content

trying to assess damage


Recommended Posts

Had been running CA Security Suite, on kids PC. Then suddenly hit with several things. CAS removed a lot, but couldn't remove PoserTM nor Darksma.

Malwarebytes did an excellent job removing them and found many other things it successfully removed, so thought I was done. But then installed NIS2009 disc, and noticed clicking "Install" from the autoplay function tried to do something with the printer and didn't install, made me think things are hosed up still. Installed NIS2009 from explorer, and the full scan, came out clean. Not sure if things are still messed up or not, afraid to connect this PC back into our network. Thanks for any help.

------------------------------------------------------------------------------------

Hijack_This_Log

------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:23:04 PM, on 1/23/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\Palringo\palringo.exe

C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\AIM6\aolsoftware.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P65 "EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)" /O21 "IP_192.168.0.198_9102" /M "Stylus CX6600"

O4 - HKLM\..\Run: [QuickTime Task] "K:\programs\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [steam] "K:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Palringo] "C:\Program Files\Palringo\palringo.exe" /hidden

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB

O16 - DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} (ActiveXShadow Control) - https://www.ll2go.com/html/x-file/000/www.l...tiveXShadow.cab

O20 - AppInit_DLLs: oennkc.dll

O20 - Winlogon Notify: iifdCTJb - iifdCTJb.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9802 bytes

-------------------------------------------------------------------------------------------------------------------------

Malwarebytes Log (from a few weeks ago, but the PC has been sitting, turned off since then until tonight)

-----------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.32

Database version: 1616

Windows 5.1.2600 Service Pack 2

1/6/2009 11:14:37 PM

mbam-log-2009-01-06 (23-14-37).txt

Scan type: Full Scan (C:\|D:\|K:\|L:\|)

Objects scanned: 248886

Time elapsed: 1 hour(s), 19 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Your version of MBAM is way out of date and needs to be updated please.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Is there a way to run the most updated version of MBAM without connecting the suspect PC to the internet?

In other words, I can use another PC to download MBAM onto USB stick, and I've been using the USB stick to install MBAM on the suspect PC.

Can I make sure that the most up-to-date version is on the USB stick?

By the way, I might be able to connect the suspect PC to the internet, but have been trying to avoid it until I know it's clean.

Thanks !

Link to post
Share on other sites

Here are updated logs from MBAM and HijackThis, using the latest version of each. MBAM didn't find any more issues.

Recall earlier I mentioned something strange happened when we tried to install NIS2009 (clicking "install" from the autoplay menu didn't work and it tried to do something with the printer).

Here is another sign that things are hosed up on this PC. I did temporarily connect to the internet in order to update MBAM, and tried to post my results below from that same PC. I couldn't log in because I can't enter any text into the username and password boxes. So then I tried opening Google, and I notice I can't get the cursor to show up in the main search box. I can change the address etc, but nothing down in the main screen.

I hope I don't have to do a complete format and restore, but I'm not getting a good feeling about this thing. Thanks for any help you can provide.

-----------------------------------------------

MBAM Log

----------------------------------------------

Malwarebytes' Anti-Malware 1.33

Database version: 1691

Windows 5.1.2600 Service Pack 2

1/24/2009 10:29:10 PM

mbam-log-2009-01-24 (22-29-10).txt

Scan type: Full Scan (C:\|D:\|K:\|L:\|)

Objects scanned: 249160

Time elapsed: 1 hour(s), 21 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------------

Hijack Log

----------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:03:39 AM, on 1/25/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

K:\Program Files\Steam\Steam.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Palringo\palringo.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\rundll32.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P65 "EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)" /O21 "IP_192.168.0.198_9102" /M "Stylus CX6600"

O4 - HKLM\..\Run: [QuickTime Task] "K:\programs\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [steam] "K:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Palringo] "C:\Program Files\Palringo\palringo.exe" /hidden

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB

O16 - DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} (ActiveXShadow Control) - https://www.ll2go.com/html/x-file/000/www.l...tiveXShadow.cab

O20 - AppInit_DLLs: oennkc.dll

O20 - Winlogon Notify: iifdCTJb - iifdCTJb.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 10143 bytes

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Thanks for re-opening.

Here is the ComboFix log, followed by HijackThis log.

Can I try to use the PC again, to see if it's any better?

-------------------

Combofix Log

------------------

ComboFix 09-01-31.01 - HP_Owner 2009-01-31 19:36:10.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.661 [GMT -5:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\IE4 Error Log.txt

c:\windows\system32\crhkhdrv.ini

c:\windows\system32\TDSSlrvd.dat

c:\windows\system32\uwHQstwa.ini

c:\windows\system32\uwHQstwa.ini2

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_seneka

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))

.

2009-01-23 22:22 . 2009-01-23 22:22 <DIR> d-------- c:\program files\Trend Micro

2009-01-07 21:16 . 2009-01-07 21:18 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\U3

2009-01-07 21:04 . 2009-01-07 21:04 <DIR> d-------- c:\windows\system32\drivers\NIS

2009-01-07 21:04 . 2009-01-07 21:04 <DIR> d-------- c:\program files\Windows Sidebar

2009-01-07 21:04 . 2009-01-07 21:04 <DIR> d-------- c:\program files\Symantec

2009-01-07 21:04 . 2009-01-07 21:04 <DIR> d-------- c:\program files\Norton Internet Security

2009-01-07 21:04 . 2009-01-07 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2009-01-07 21:04 . 2009-01-07 21:04 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-07 21:04 . 2009-01-07 21:04 60,808 --a------ c:\windows\system32\S32EVNT1.DLL

2009-01-07 21:04 . 2009-01-07 21:04 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys

2009-01-07 21:04 . 2009-01-07 21:04 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-07 21:04 . 2009-01-07 21:04 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2009-01-07 21:01 . 2009-01-07 21:01 <DIR> d-------- c:\program files\NortonInstaller

2009-01-07 21:01 . 2009-01-07 21:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-01-06 21:06 . 2009-01-24 21:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-06 21:06 . 2009-01-06 21:06 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2009-01-06 21:06 . 2009-01-06 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-06 21:06 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-06 21:06 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-01 00:30 --------- d-----w c:\program files\LogMeIn

2009-01-08 02:06 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-08 02:05 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-08 01:52 --------- d-----w c:\program files\CA

2009-01-08 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\CA

2008-12-24 05:02 --------- d-----w c:\program files\Google

2008-12-15 21:11 6,774 ----a-w c:\documents and settings\Panther\Application Data\wklnhst.dat

2008-12-07 22:28 8,896 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat

2008-12-04 20:12 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Move Networks

2008-04-07 13:39 0 ----a-w c:\documents and settings\the so called boss\Application Data\wklnhst.dat

2008-04-05 23:28 22,328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2007-10-09 18:18 2,738 ----a-w c:\documents and settings\The Bomb\Application Data\wklnhst.dat

2007-03-06 02:38 1,928 ----a-w c:\documents and settings\Slimy Fish\Application Data\wklnhst.dat

2007-12-29 04:48 22 --sha-w c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]

"Steam"="k:\program files\Steam\Steam.exe" [2008-10-09 1410296]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-10 68856]

"Palringo"="c:\program files\Palringo\palringo.exe" [2008-10-27 581632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]

"EPSON Stylus CX6600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]

"EPSON Stylus CX6600 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-11-07 8192]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]

"QuickTime Task"="k:\programs\QuickTime\qttask.exe" [2008-03-28 413696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-04 180269]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]

"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-03 c:\windows\system32\narrator.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-04 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

My Essentials Wireless USB Utility.lnk - c:\program files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe [2006-09-11 1568768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-18 18:42 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=oennkc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"= usbmn1x1.dll

"MIDI2"= vpnt.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"k:\\programs\\Sierra\\FEAR\\FEAR.exe"=

"k:\\programs\\Sierra\\FEAR\\FEARMP.exe"=

"k:\\programs\\Sierra Entertainment\\FEARXP2.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1000000.07D\SymEFA.sys [2009-01-07 309296]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2009-01-07 254512]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2009-01-07 362544]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-07 99376]

R4 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-07-10 12856]

R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-07-10 47640]

R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2009-01-07 115560]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-02 24652]

S0 ppgmjmgm;ppgmjmgm;c:\windows\system32\drivers\xqzx.sys --> c:\windows\system32\drivers\xqzx.sys [?]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2009-01-07 274808]

S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [2007-09-23 408064]

S3 USBMM1X1;USB Midi 1x1 Driver;c:\windows\system32\drivers\usbmm1x1.sys [2006-10-21 32476]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed0f7d6-dd28-11dd-a715-0019212c95fd}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\wjjikdut.job

- c:\windows\system32\ljJCrQHY.dll []

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

HKLM-Run-PCDrProfiler - (no file)

Notify-iifdCTJb - iifdCTJb.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com/?src=aim

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

Trusted Zone: musicmatch.com\online

DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} - hxxps://www.ll2go.com/html/x-file/000/www.ll2go.com/x-res/ActiveXShadow.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-31 19:45:12

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\LogMeIn\x86\ramaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe

c:\program files\AIM6\aolsoftware.exe

c:\hp\KBD\kbd.exe

c:\windows\system\hpsysdrv.exe

c:\program files\Java\jre1.5.0_09\bin\jusched.exe

.

**************************************************************************

.

Completion time: 2009-01-31 19:49:20 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-01 00:49:17

Pre-Run: 41,160,744,960 bytes free

Post-Run: 42,092,052,480 bytes free

200 --- E O F --- 2008-12-19 08:01:00

--------------------------------------------------------------------

HijackThis log

--------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:51:07 PM, on 1/31/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Palringo\palringo.exe

C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P65 "EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)" /O21 "IP_192.168.0.198_9102" /M "Stylus CX6600"

O4 - HKLM\..\Run: [QuickTime Task] "K:\programs\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [steam] "K:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Palringo] "C:\Program Files\Palringo\palringo.exe" /hidden

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB

O16 - DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} (ActiveXShadow Control) - https://www.ll2go.com/html/x-file/000/www.l...tiveXShadow.cab

O20 - AppInit_DLLs: oennkc.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9650 bytes

Link to post
Share on other sites

  • Root Admin

You need to uninstall Acrobat Reader 7

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Please download and run this tool. Follow the directions they've posted, you may want to print them out. How to use SDFix

Post back the log please.

Link to post
Share on other sites

Ok, thanks AdvancedSetup

I uninstalled Acrobat Reader, and ran the SDFix routine and HijackThis again. Below are the results.

I see the problems are still there. Let me know if it's time to give up. Or, if you have any other ideas, I'm definitely willing to try. Whether these efforst fix the problem or not, I appreciate the time, and plan to leave a donation.

Again, here are the two symptoms that don't seem to go away, and I don't know if there are any others yet:

(1) If open the IE browser to something like Google, I can enter text in the top search bar, but not in the main search box. Or similarly, I can't log into this forum from there, because I can't get the cursor to show up inside the box.... Maybe for this issue I could just re-install IE or someting, or install Chrome....?

(2) If I put in a NIS2009 CD, and from Autoplay I click "Install", it tries to open my scanner for some strange reason..... I can get around that issue and install NIS anyway, but that's not the issue. The fact that it even happens makes me wonder what else has is hosed up.

I'm pretty sure I did create the restore CDs when this PC was new (they make you generate your own disks from the restore partition). Or do you think the Restore Partition can still be trused. If I have to do a restore, I guess I could backup the data that we care about from this PC onto some external drive that's empty and not use any of the backed up data until it is scanned carefully.

Anyway, here are the logs.

--------------------------------

SDFix Report

-------------------------------

SDFix: Version 1.240

Run by HP_Owner on Sun 02/01/2009 at 10:35 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-01 10:54:12

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"

"C:\\Program Files\\Rhapsody\\rhapsody.exe"="C:\\Program Files\\Rhapsody\\rhapsody.exe:*:Enabled:Rhapsody"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"

"K:\\programs\\Sierra\\FEAR\\FEAR.exe"="K:\\programs\\Sierra\\FEAR\\FEAR.exe:*:Enabled:FEAR"

"K:\\programs\\Sierra\\FEAR\\FEARMP.exe"="K:\\programs\\Sierra\\FEAR\\FEARMP.exe:*:Enabled:FEAR"

"K:\\programs\\Sierra Entertainment\\FEARXP2.exe"="K:\\programs\\Sierra Entertainment\\FEARXP2.exe:*:Enabled:FEARXP2"

"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

"C:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe:*:Enabled:Battlefield 2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"

Remaining Files :

Files with Hidden Attributes :

Tue 10 Oct 2006 211 A.SHR --- "C:\BOOT.BAK"

Fri 28 Dec 2007 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"

Fri 24 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Sun 18 Sep 2005 788,568 A..H. --- "C:\Program Files\Online Services\Canada\KOL\client.exe"

Wed 17 Aug 2005 13,459,528 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe"

Wed 17 Aug 2005 233,472 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe"

Wed 17 Aug 2005 389,120 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe"

Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"

Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"

Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"

Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"

Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"

Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"

Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"

Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"

Sun 18 Sep 2005 77,824 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll"

Sun 18 Sep 2005 6,961,146 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip"

Sun 18 Sep 2005 3,058,888 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe"

Sun 18 Sep 2005 307,289 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll"

Sun 18 Sep 2005 7,083,361 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe"

Wed 21 Sep 2005 1,960,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip"

Sun 18 Sep 2005 550,488 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe"

Sun 18 Sep 2005 553,984 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe"

Sun 18 Sep 2005 2,242,759 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe"

Sun 18 Sep 2005 24,064 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll"

Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll"

Sun 18 Sep 2005 748,728 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe"

Sun 18 Sep 2005 7,515,304 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe"

Sun 18 Sep 2005 86,016 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll"

Sun 18 Sep 2005 45,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll"

Sun 18 Sep 2005 5,111,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE"

Sun 18 Sep 2005 4,378,673 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe"

Sun 18 Sep 2005 360,448 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe"

Sun 18 Sep 2005 40,960 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll"

Sun 18 Sep 2005 473,736 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe"

Sun 18 Sep 2005 12,288 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll"

Sun 18 Sep 2005 516,032 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe"

Sun 18 Sep 2005 597,080 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe"

Sun 18 Sep 2005 590,688 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe"

Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll"

Sun 18 Sep 2005 49,152 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll"

Sun 18 Sep 2005 61,440 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe"

Sun 18 Sep 2005 3,858,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe"

Finished!

---------------------------------------------------------

HijackThis_Log

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:02:49 AM, on 2/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Palringo\palringo.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P65 "EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)" /O21 "IP_192.168.0.198_9102" /M "Stylus CX6600"

O4 - HKLM\..\Run: [QuickTime Task] "K:\programs\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [steam] "K:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Palringo] "C:\Program Files\Palringo\palringo.exe" /hidden

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB

O16 - DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} (ActiveXShadow Control) - https://www.ll2go.com/html/x-file/000/www.l...tiveXShadow.cab

O20 - AppInit_DLLs: oennkc.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9567 bytes

Link to post
Share on other sites

  • Root Admin

We should be able to get you cleaned up. Sometimes it just take a little while to complete is all.

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
  • R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
  • R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
  • O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
  • O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P35 "EPSON Stylus CX6600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6600"
  • O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
  • O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
  • O20 - AppInit_DLLs: oennkc.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Please remove your current copy of Combofix

To uninstall ComboFix.exe
  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox\LastRun if the uninstall instructions don't work.

Please run the following to remove GMER if it's installed.

Click on START - RUN and type in %windir%\gmer_uninstall.cmd and press the ENTER key.

Then run the following tool.

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

Advanced Setup,

This is the root_repeal log. Let me also mention that a few days back I installed Google Chrome (so kids could do some school assignments ...). Hopefully that didn't mess things up further. With Chrome we're able to get around the IE issue.

I'd be interested in knowing if there is a way to determine if what we have left on the machine is just damage done from before but it is no longer "infected", or might there still be something lurking waiting to do more damage. If it's the former, then it might not be so bad to use this machine while figuring out how to repair the previous damage. Thanks Again !

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/08 10:51

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF3963000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AF2000 Size: 8192 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB99AD000 Size: 45056 File Visible: No

Status: -

Name: SYMEFA.SYS

Image Path: SYMEFA.SYS

Address: 0xF73A4000 Size: 323584 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\ntuser.dat.LOG

Status: Size mismatch (API: 1024, Raw: 8192)

SSDT

-------------------

#: 012 Function Name: NtAlertResumeThread

Status: Hooked by "<unknown>" at address 0x862f20b8

#: 013 Function Name: NtAlertThread

Status: Hooked by "<unknown>" at address 0x86a0f0b8

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "<unknown>" at address 0x86029d70

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x86a0b050

#: 031 Function Name: NtConnectPort

Status: Hooked by "<unknown>" at address 0x86d9f7c8

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf3d24020

#: 043 Function Name: NtCreateMutant

Status: Hooked by "<unknown>" at address 0x860559a0

#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "<unknown>" at address 0x861883f8

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x861ea750

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "<unknown>" at address 0x862ef050

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf3d242a0

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf3d24800

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "<unknown>" at address 0x860577e0

#: 083 Function Name: NtFreeVirtualMemory

Status: Hooked by "<unknown>" at address 0x86184c38

#: 089 Function Name: NtImpersonateAnonymousToken

Status: Hooked by "<unknown>" at address 0x86ad4070

#: 091 Function Name: NtImpersonateThread

Status: Hooked by "<unknown>" at address 0x86ad50b8

#: 097 Function Name: NtLoadDriver

Status: Hooked by "<unknown>" at address 0x86dabe30

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "<unknown>" at address 0x86082008

#: 114 Function Name: NtOpenEvent

Status: Hooked by "<unknown>" at address 0x86a0c050

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0x860c0af8

#: 123 Function Name: NtOpenProcessToken

Status: Hooked by "<unknown>" at address 0x86b222f0

#: 125 Function Name: NtOpenSection

Status: Hooked by "<unknown>" at address 0x86b1b7b8

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0x86239a00

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "<unknown>" at address 0x86188a80

#: 206 Function Name: NtResumeThread

Status: Hooked by "<unknown>" at address 0x86b14c70

#: 213 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x86b4e630

#: 228 Function Name: NtSetInformationProcess

Status: Hooked by "<unknown>" at address 0x8602c188

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "<unknown>" at address 0x86af7530

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf3d24a50

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x86ad3050

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x86b098c0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x86b122b8

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x86b12a70

#: 267 Function Name: NtUnmapViewOfSection

Status: Hooked by "<unknown>" at address 0x86e62cf8

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0x860570e0

Link to post
Share on other sites

  • Root Admin
    Please download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Ok, thanks. Here are the results of the Quick Scan, Full Scan, and HJT. The problem with IE is still present.

---------------------

quick scan

--------------------

Malwarebytes' Anti-Malware 1.33

Database version: 1742

Windows 5.1.2600 Service Pack 2

2/9/2009 10:04:14 PM

mbam-log-2009-02-09 (22-04-14).txt

Scan type: Quick Scan

Objects scanned: 72320

Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------

full scan

------------------

Malwarebytes' Anti-Malware 1.33

Database version: 1742

Windows 5.1.2600 Service Pack 2

2/10/2009 5:48:17 AM

mbam-log-2009-02-10 (05-48-17).txt

Scan type: Full Scan (C:\|D:\|K:\|L:\|)

Objects scanned: 236437

Time elapsed: 1 hour(s), 49 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------------------

HJT

---------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:06:59 AM, on 2/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

K:\Program Files\Steam\Steam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Palringo\palringo.exe

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P65 "EPSON Stylus CX6600 Series on DPR1260 (dlinkps-fb355b USB Port_3)" /O21 "IP_192.168.0.198_9102" /M "Stylus CX6600"

O4 - HKLM\..\Run: [QuickTime Task] "K:\programs\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [steam] "K:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Palringo] "C:\Program Files\Palringo\palringo.exe" /hidden

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB

O16 - DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} (ActiveXShadow Control) - https://www.ll2go.com/html/x-file/000/www.l...tiveXShadow.cab

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 7873 bytes

Link to post
Share on other sites

Ran Dial-a-fix. Interesting results.

From what I can see, IE is working properly now. Before I wasn't able to get the cursor to show up in the Google Search Window for example. Now I can.

There was another issue that is still there (not related to IE).

When I put in my new NIS2009 CD, and click "install", it brings up my epson scanner screen for some reason. Not a big deal to me though, easy to get around that one.

By the way, Dial-a-fix noticed that I was missing MSHTMLED.DLL in Windows/system32 folder.

When I did a search to find it on my PC, it found several copies (e.g. C:\ProgramFiles\OnlineService\PeoplePC\IE\EN\IEWK2_2.CAB

But instead I took it from Windows/I386 directory.

Link to post
Share on other sites

  • Root Admin

That sounds good.

My guess for the scanner issue is maybe some missing keys or associations messed up. You could try to re-install the scanner software and see if that fixes it or not.

If there is an MSI and an EXE on the CD for installation of NIS2009 then try right click open on the other one.

How is the computer running otherwise?

Are there still any signs of infection?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.