Jump to content

Help Removing Vundo Please


Recommended Posts

Hello,

This infection just won't go away.

Panda and HiJack this logs to follow.

As per the instructions here is my MB Log:

Malwarebytes' Anti-Malware 1.10

Database version: 597

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 155728

Time elapsed: 44 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:01:51 AM, on 4/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\BOINC\boincmgr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\mdm.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://www.tdameritrade.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab

O20 - AppInit_DLLs: cru629.dat

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32

\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe

O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--

End of file - 7453 bytes

Link to post
Share on other sites

Hi jimnbarb and welcome to Malwarebytes. Please be sure you have your email settings inn your * My Controls* panel to notify you of replies.

Always post the HJT log after any removal scans. I am going to delete this one now and please repost an new one after the Panda scan

You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.

This is a rogue program C:\Program Files\WinReanimator\WinReanimator.exe <=========== Uninstall it please and upload the file to here http://uploads.malwarebytes.org/ IF

Your running bit torrent software, very risky behavior, and a good chance this is part of your problems.

Edited by JeanInMontana
add information & instructions
Link to post
Share on other sites

Here's my Panda scan.

Any help you could give me on this would be appreciated. It is driving me insane.

:P

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-04-07 10:39:02

PROTECTIONS: 0

MALWARE: 84

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@trafficmp[2].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@trafficmp[1].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@trafficmp[1].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/]

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@casalemedia[1].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@casalemedia[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.atdmt.com/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.atdmt.com/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atdmt[2].txt

00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tradedoubler[1].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.247realmedia.com/]

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@247realmedia[1].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@247realmedia[1].txt

00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bfast[2].txt

00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@bfast[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@fastclick[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@fastclick[2].txt

00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@servedby.advertising[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@tribalfusion[2].txt

00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-eu.falkag[2].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@mediaplex[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@mediaplex[2].txt

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@linksynergy[2].txt

00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@anm.co[1].txt

00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@entrepreneur[2].txt

00149002 Cookie/Peel TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@peel[2].txt

00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@maxserving[1].txt

00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@belnk[1].txt

00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@belnk[1].txt

00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.belnk.com/]

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@revenue[2].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@revenue[2].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@findwhat[1].txt

00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@dist.belnk[2].txt

00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@dist.belnk[2].txt

00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.myaffiliateprogram[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@com[1].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@yadro[2].txt

00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@webpower[2].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xiti[1].txt

00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@hotlog[1].txt

00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@z1.adserver[1].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@azjmp[2].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@toplist[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@statcounter[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statcounter[2].txt

00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@counter.hitslink[2].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@perf.overture[1].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@perf.overture[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ad.yieldmanager[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@apmebf[2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@burstnet[2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@burstnet[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@serving-sys[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bs.serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bs.serving-sys[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@www.burstbeacon[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.burstbeacon[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@www.burstbeacon[2].txt

00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-us.falkag[1].txt

00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as1.falkag[2].txt

00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@weborama[2].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adtech[1].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adtech[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@server.iad.liveperson[2].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@server.iad.liveperson[2].txt

00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@stat.onestat[1].txt

00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@fl01.ct2.comclick[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@advertising[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[1].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statse.webtrendslive[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.pointroll[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.pointroll[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@overture[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@overture[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@realmedia[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@realmedia[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@realmedia[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@questionmarket[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@questionmarket[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.questionmarket.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@zedo[1].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bluestreak[2].txt

00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xxxcounter[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[2].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bravenet[1].txt

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adultfriendfinder[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@go[1].txt

00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@valueclick[2].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@searchportal.information[1].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@searchportal.information[2].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@searchportal.information[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@target[1].txt

00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ct.360i[1].txt

00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www2.addfreestats[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atwola[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atwola[1].txt

00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www6.addfreestats[1].txt

00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ehg-dig.hitbox[2].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.addynamix[2].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ads.addynamix[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.addynamix[1].txt

00515709 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[VaaaaaaaBaa.class]

00515710 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[baaaaa.class]

00515711 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[baaaaBaa.class]

00516819 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dex.class]

00516820 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dvnny.class]

00516821 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dux.class]

00516823 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dix.class]

01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe

01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi[unk_0029]

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adserver.easyad[1].txt

02763634 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[VaannnaaBaa.class]

02763635 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[bnnnnn.class]

02763636 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[bnnnnBaa.class]

02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advancedcleaner[2].txt

02908018 Cookie/WinReanimator TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@winreanimator[2].txt

02908359 Trj/Cimuz.KK Virus/Trojan No 1 Yes No C:\WINDOWS\system32\msindc.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

108742 MEDIUM MS06-006

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

OK,

Hopefully this one is better.

As far as BitTorrent goes, I uninstalled that prgram months ago. There isn't a folder in my programs called that.

WinReanimator is very recent and IMHO, the source of my agony. I don't recall ever installing that, though I did uninstall it last week when I discovered it.

It doesn't exist in the file structure as far as I can tell.

These guys:

HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

must be coming from my registry right? Should I go in and delete those entries?

In any case here is my new HJT log. Thanks for the quick reply.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:34:43 AM, on 4/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\BOINC\boincmgr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\mdm.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\WINDOWS\system32\sol.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\DEVENV.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://www.tdameritrade.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72

O20 - AppInit_DLLs: cru629.dat

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--

End of file - 8260 bytes

Link to post
Share on other sites

Hi again. You have more than one source of misery. Most likely bundled with the Winreanimator but we can't be sure.

Run HJT again in scan only and put a check next to these lines.

O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)

O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O20 - AppInit_DLLs: cru629.dat

Now please get this tool:

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

Link to post
Share on other sites

Here is my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:38:41 AM, on 4/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\BOINC\boincmgr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\mdm.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://www.tdameritrade.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--

End of file - 7799 bytes

Link to post
Share on other sites

OK, Combo Fix ran w/o any apparent errors. What next? This is getting kind of fun!

Here is the resulting log from the ComboFix exe:

ComboFix 08-04-07.5 - jantonio 2008-04-08 9:41:31.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.463 [GMT -7:00]

Running from: C:\temp\ComboFix\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com

C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\played_list.sol

C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\video_queue.sol

C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com

C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

C:\temp\Temporary Internet Files\aserybyz._dl

C:\temp\Temporary Internet Files\puqazuhek.bin

C:\WINDOWS\system32\duis.txt

C:\WINDOWS\system32\msindc.dll

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))

.

2008-04-08 09:39 . 2008-04-08 09:39 <DIR> d-------- C:\temp\ComboFix

2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java

2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM20

2008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security

2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy

2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro

2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo

2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool

2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for

2008-03-23 01:25 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes

2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif

2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg

2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg

2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com

2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys

2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime

2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype

2008-03-10 14:56 . 2008-04-08 09:34 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype

2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll

2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys

2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-03-08 05:06 . 2008-03-08 05:06 <DIR> d-------- C:\WINDOWS\SQLTools9_KB932557_ENU

2008-03-08 05:05 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-08 16:49 --------- d-----w C:\Program Files\BOINC

2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix

2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr

2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com

2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib

2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib

2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll

2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll

2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr

2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server

2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.6

2008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live

2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller

2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064]

"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178]

"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534]

"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056]

Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480]

HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"=

"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11]

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-08 09:49:14

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????>????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yeyqase]

"ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis"

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-04-08 9:54:18 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-08 16:54:14

Pre-Run: 47,158,390,784 bytes free

Post-Run: 47,158,026,240 bytes free

.

2008-03-22 19:05:17 --- E O F ---

Link to post
Share on other sites

Drat, those same 2 files are back again.

Here is the latest MB log, HJT log to follow.

Malwarebytes' Anti-Malware 1.11

Database version: 600

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 144841

Time elapsed: 42 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\TEMP\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\TEMP\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:06:02 AM, on 4/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\BOINC\boincmgr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\mdm.exe

C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://www.tdameritrade.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--

End of file - 8263 bytes

Link to post
Share on other sites

Those two things MBAM is showing are temp files. We will do a cleanup of those.

Please upload this file C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe to here . This will ensure it gets added to the data base for future removals.

Please upload the file C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe to here and post the results in your next reply. We will make sure it is malware this way.

Now let's sweep the mud out. Get the program here and scan with it remove what it finds.

Now please get this tool.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

Link to post
Share on other sites

OK, the file was uploaded to your site:

Isn't this file needed for my Visual Studio to continue functioning?

VirusTotal scan log follows:

File DEVENV.EXE received on 04.09.2008 17:43:15 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

Loading server information...

Your file is queued in position: 9.

Estimated start time is between 66 and 94 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.4.9.0 2008.04.09 -

AntiVir 7.6.0.81 2008.04.09 -

Authentium 4.93.8 2008.04.09 -

Avast 4.8.1169.0 2008.04.09 -

AVG 7.5.0.516 2008.04.09 -

BitDefender 7.2 2008.04.09 -

CAT-QuickHeal 9.50 2008.04.08 -

ClamAV 0.92.1 2008.04.09 -

DrWeb 4.44.0.09170 2008.04.09 -

eSafe 7.0.15.0 2008.04.09 -

eTrust-Vet 31.3.5684 2008.04.09 -

Ewido 4.0 2008.04.09 -

F-Prot 4.4.2.54 2008.04.08 -

F-Secure 6.70.13260.0 2008.04.09 -

FileAdvisor 1 2008.04.09 -

Fortinet 3.14.0.0 2008.04.09 -

Ikarus T3.1.1.26 2008.04.09 -

Kaspersky 7.0.0.125 2008.04.09 -

McAfee 5269 2008.04.08 -

Microsoft 1.3408 2008.04.09 -

NOD32v2 3013 2008.04.09 -

Norman 5.80.02 2008.04.09 -

Panda 9.0.0.4 2008.04.08 -

Prevx1 V2 2008.04.09 -

Rising 20.39.12.00 2008.04.08 -

Sophos 4.28.0 2008.04.09 -

Sunbelt 3.0.1032.0 2008.04.08 -

Symantec 10 2008.04.09 -

TheHacker 6.2.92.269 2008.04.09 -

VBA32 3.12.6.4 2008.04.06 -

VirusBuster 4.3.26:9 2008.04.08 -

Webwasher-Gateway 6.6.2 2008.04.09 -

Additional information

File size: 264464 bytes

MD5...: fd98dc9ba3d3d5690699156d9eab310e

SHA1..: 1fe260ae0574e0c4dd9149f640d171e6b98afeea

SHA256: f210161162f1b5e744733fa53ea83961b59ce09282694384002b28a6f238cc8c

SHA512: e0b214365affee1eeeabd004e6b5f83cd3031c451af2b6f9a1ee0a61d26b1b7b

3800e095ad3c574f84f4710081b3784096a96612e6f4c1c6b69f345c6a3321c3

PEiD..: InstallShield 2000

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x401172

timedatestamp.....: 0x3587655b (Wed Jun 17 06:42:35 1998)

machinetype.......: 0x14c (I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x2eba 0x3000 6.22 c0aea2c0b6bab8a932769f083eeebeeb

.data 0x4000 0x250 0x400 0.48 16add10d5629c6961abca98e1bdd858c

.rsrc 0x5000 0x3cc68 0x3ce00 4.79 a4c84968e659bf9232ed9a5ba70f440f

( 6 imports )

> KERNEL32.dll: FindResourceA, FreeResource, SizeofResource, LoadResource, lstrlenA, LoadLibraryA, CreateDirectoryA, GetStartupInfoA, GetModuleHandleA, lstrcpyA, lstrcmpA, lstrcatA, IsDBCSLeadByte, GetFileAttributesA, lstrcmpiA, GetProcAddress

> USER32.dll: EndPaint, BeginPaint, LoadBitmapA, DefWindowProcA, GetSystemMetrics, SystemParametersInfoA, CharNextA, wsprintfA, LoadStringA, DestroyWindow, MessageBoxA, UpdateWindow, CreateWindowExA, RegisterClassA, ReleaseDC, OffsetRect, InflateRect, DrawTextA, GetDC

> GDI32.dll: SelectObject, CreatePalette, SetTextColor, TextOutA, DeleteObject, DeleteDC, GetObjectA, SetBkMode, CreateFontIndirectA, GetTextExtentPoint32A, GetStockObject, Rectangle, SelectPalette, GetDeviceCaps, CreateDIBitmap, SetStretchBltMode, RealizePalette, CreateCompatibleDC, BitBlt

> ADVAPI32.dll: RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegOpenKeyExA, RegOpenKeyA, RegQueryValueA, RegCloseKey

> SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc

> MSVCRT.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, strchr, free, malloc, _controlfp

( 0 exports )

Link to post
Share on other sites

Here is the combofix log:

ComboFix 08-04-08.10 - jantonio 2008-04-09 9:31:26.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -7:00]

Running from: C:\temp\ComboFix\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))

.

2008-04-09 09:01 . 2008-04-09 09:01 <DIR> d-------- C:\Program Files\CCleaner

2008-04-09 08:59 . 2008-04-09 09:00 <DIR> d-------- C:\temp\CCleaner

2008-04-08 09:39 . 2008-04-09 09:11 <DIR> d-------- C:\temp\ComboFix

2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java

2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM20

2008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security

2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy

2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro

2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo

2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool

2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for

2008-03-23 01:25 . 2008-04-08 10:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes

2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif

2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg

2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg

2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com

2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys

2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime

2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype

2008-03-10 14:56 . 2008-04-09 08:58 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype

2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll

2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys

2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-09 15:32 --------- d-----w C:\Program Files\BOINC

2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix

2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr

2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com

2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib

2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib

2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll

2008-03-23 07:21 10,565 ----a-w C:\WINDOWS\system32\kirini.bat

2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll

2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr

2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server

2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.6

2008-03-08 12:05 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live

2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller

2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll

2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((( snapshot@2008-04-08_ 9.54.01.39 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-07 15:02:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-04-08 23:00:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-04-07 15:02:10 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-04-08 23:00:09 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064]

"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178]

"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534]

"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056]

Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480]

HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"=

"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11]

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-09 09:34:57

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????=????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\yeyqase]

"ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis"

.

Completion time: 2008-04-09 9:36:18

ComboFix-quarantined-files.txt 2008-04-09 16:36:00

ComboFix2.txt 2008-04-08 16:54:18

Pre-Run: 48,742,395,904 bytes free

Post-Run: 48,735,064,064 bytes free

.

2008-03-22 19:05:17 --- E O F ---

Link to post
Share on other sites

Here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:40:40 AM, on 4/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BOINC\boincmgr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\mdm.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://www.tdameritrade.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--

End of file - 8222 bytes

Link to post
Share on other sites

Hi Jim. How are things running?

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background I should have had you remove that one too. sorry.

Nothing is showing in the HJT log. But I would like your feedback.

Link to post
Share on other sites

Does that mean my machine is rid of its infection?

As far as my machine goes...My machine still seems very sluggish, especially when loading web pages.

I also am noticing that the little idiot light that goes off whenever the laptop is doing some "thinking" flashes on and off about once a second.

I'm pretty sure (though not 100%) that is wasn't doing that before.

Right when this whole thing started my provider (Comcast) blocked my default email port because apparently my machine was spewing email.

I can't help but think it might still be trying to do that (though I have no real evidence).

Since I do WebDev for a living, being able to refresh web pages quickly is key.

Right now its averaging about 1 min per page reload.

Any ideas?

Link to post
Share on other sites

No it does not mean your clean and with your added information my best advice is you reformat. Your system was part of a spambot net. That means you have a root kit allowing someone else to control the machine. There is no guarantee we can ever remove it without a reformat. You should notify all banks, credit cards any place with sensitive information and change all passwords. You may have had your identity stolen.

Link to post
Share on other sites

Jim it's the cases when we know the systems have been compromised in the way yours has been we have to recommend a reformat out of responsibility to the user. Please don't think it is anything to do with the site or the tools we have used. It is the nature of the malware. Since you don't have any "clues" so to speak even showing it, and yet we know you have been compromised I have no confidence we will get it. You must have got something very new that no one has been able to track down yet. I would not just quit you if I thought we had a good chance of cleaning your system. The people behind these tools work nonstop at finding the new stuff and ways to get rid of it. They do it for free.

When you bought your PC did you get the full CD for Windows? Or any CD actually. You have an HP and they usually have a recovery partition. However, it could also be infected. If you have the CD for Windows it is simple stick it in and choose the reformat or reinstall option. You should be able to back up to CD anything you need to save now before you lose it. You have a HP and my experience with them has been great in customer service if your still under warranty, use it. Also check out the built in Help section. I'm sure you can order a full Windows CD from them too and maybe get it cheaper, I got mine for $10.00 when I bought the machine.

Let me know if you need more info. I am so very sorry to have to be the one to give you this news. I truly think this is the best route. I will give you some tips on preventing this in the future to in closing remarks.

Link to post
Share on other sites

I do not have any problem with the software you told me to run or your advice.

It all seemed relevant, useful and delivered in a timely manner.

I have nothing but praise for you.

:P

However, its going to be a week before I can bring my machine down for an indeterminate amount of time.

Once I do the reformat and put my machine back together I will report back.

All passwords to critical information has been changed via another computer.

Thanks for the heads up on that as well.

Any advice in this endeavor is appreciated.

Thanks again, I will post once I am back in shape.

Link to post
Share on other sites

If this machine is networked you might have all machines connected infected. You should keep it offline until you reformat. Reformatting itself doesn't take that long. It's the reinstalling of all the software and Windows updates that takes a long time and tweaking your personal settings etc. DO NOT get back on line with out a good firewall. Down load and burn to a disk if need be. Or use the Windows one and get a decent firewall and then continue with updates etc.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.