jimnbarb Posted April 7, 2008 ID:15769 Share Posted April 7, 2008 Hello,This infection just won't go away.Panda and HiJack this logs to follow.As per the instructions here is my MB Log:Malwarebytes' Anti-Malware 1.10Database version: 597Scan type: Full Scan (C:\|D:\|)Objects scanned: 155728Time elapsed: 44 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
jimnbarb Posted April 7, 2008 Author ID:15772 Share Posted April 7, 2008 Here is the HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:01:51 AM, on 4/7/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\BOINC\boincmgr.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\BOINC\boinc.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\system32\mdm.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptopO2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hideO4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exeO4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptopO15 - Trusted Zone: http://www.tdameritrade.comO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cabO20 - AppInit_DLLs: cru629.datO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe--End of file - 7453 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted April 7, 2008 ID:15775 Share Posted April 7, 2008 (edited) Hi jimnbarb and welcome to Malwarebytes. Please be sure you have your email settings inn your * My Controls* panel to notify you of replies.Always post the HJT log after any removal scans. I am going to delete this one now and please repost an new one after the Panda scan You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.This is a rogue program C:\Program Files\WinReanimator\WinReanimator.exe <=========== Uninstall it please and upload the file to here http://uploads.malwarebytes.org/ IF Your running bit torrent software, very risky behavior, and a good chance this is part of your problems. Edited April 7, 2008 by JeanInMontana add information & instructions Link to post Share on other sites More sharing options...
jimnbarb Posted April 7, 2008 Author ID:15780 Share Posted April 7, 2008 Here's my Panda scan.Any help you could give me on this would be appreciated. It is driving me insane.;***********************************************************************************************************************************************************************************ANALYSIS: 2008-04-07 10:39:02PROTECTIONS: 0MALWARE: 84SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@trafficmp[2].txt00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@trafficmp[1].txt00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/]00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@trafficmp[1].txt00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/]00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@casalemedia[1].txt00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@casalemedia[1].txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@doubleclick[1].txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@doubleclick[1].txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@doubleclick[2].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.atdmt.com/]00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@atdmt[2].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atdmt[2].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.atdmt.com/]00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atdmt[2].txt00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tradedoubler[1].txt00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.247realmedia.com/]00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@247realmedia[1].txt00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@247realmedia[1].txt00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bfast[2].txt00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@bfast[2].txt00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@fastclick[2].txt00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@fastclick[2].txt00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@servedby.advertising[1].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@tribalfusion[1].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tribalfusion[1].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@tribalfusion[2].txt00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-eu.falkag[2].txt00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@mediaplex[1].txt00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@mediaplex[2].txt00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@linksynergy[2].txt00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@anm.co[1].txt00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@entrepreneur[2].txt00149002 Cookie/Peel TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@peel[2].txt00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@maxserving[1].txt00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@belnk[1].txt00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@belnk[1].txt00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.belnk.com/]00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@revenue[2].txt00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@revenue[2].txt00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@findwhat[1].txt00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@dist.belnk[2].txt00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@dist.belnk[2].txt00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.myaffiliateprogram[1].txt00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@com[1].txt00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@com[1].txt00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@yadro[2].txt00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@webpower[2].txt00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xiti[1].txt00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@hotlog[1].txt00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@z1.adserver[1].txt00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@azjmp[2].txt00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@toplist[1].txt00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@statcounter[1].txt00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statcounter[2].txt00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@counter.hitslink[2].txt00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@perf.overture[1].txt00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@perf.overture[1].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ad.yieldmanager[2].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ad.yieldmanager[2].txt00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@apmebf[2].txt00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@burstnet[2].txt00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@burstnet[2].txt00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@serving-sys[1].txt00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@serving-sys[2].txt00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bs.serving-sys[1].txt00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bs.serving-sys[1].txt00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@www.burstbeacon[1].txt00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.burstbeacon[1].txt00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@www.burstbeacon[2].txt00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-us.falkag[1].txt00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as1.falkag[2].txt00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@weborama[2].txt00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adtech[1].txt00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adtech[1].txt00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@server.iad.liveperson[2].txt00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@server.iad.liveperson[2].txt00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@stat.onestat[1].txt00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@fl01.ct2.comclick[2].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@advertising[1].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advertising[1].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@advertising[2].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[1].txt00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statse.webtrendslive[2].txt00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.pointroll[2].txt00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.pointroll[1].txt00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@overture[1].txt00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@overture[2].txt00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@realmedia[1].txt00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@realmedia[2].txt00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@realmedia[2].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@questionmarket[1].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@questionmarket[2].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@questionmarket[1].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.questionmarket.com/]00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@zedo[1].txt00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bluestreak[2].txt00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xxxcounter[2].txt00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[2].txt00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bravenet[1].txt00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adultfriendfinder[2].txt00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@go[1].txt00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@go[1].txt00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@valueclick[2].txt00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@searchportal.information[1].txt00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@searchportal.information[2].txt00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@searchportal.information[1].txt00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@target[1].txt00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ct.360i[1].txt00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www2.addfreestats[1].txt00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atwola[2].txt00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atwola[1].txt00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www6.addfreestats[1].txt00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ehg-dig.hitbox[2].txt00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.addynamix[2].txt00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ads.addynamix[1].txt00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.addynamix[1].txt00515709 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[VaaaaaaaBaa.class]00515710 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[baaaaa.class]00515711 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[baaaaBaa.class]00516819 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dex.class]00516820 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dvnny.class]00516821 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dux.class]00516823 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dix.class]01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi[unk_0029]01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adserver.easyad[1].txt02763634 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[VaannnaaBaa.class]02763635 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[bnnnnn.class]02763636 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[bnnnnBaa.class]02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advancedcleaner[2].txt02908018 Cookie/WinReanimator TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@winreanimator[2].txt02908359 Trj/Cimuz.KK Virus/Trojan No 1 Yes No C:\WINDOWS\system32\msindc.dll;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;=================================================================================================================================================================================== 108742 MEDIUM MS06-006 ;=================================================================================================================================================================================== Link to post Share on other sites More sharing options...
jimnbarb Posted April 7, 2008 Author ID:15783 Share Posted April 7, 2008 OK,Hopefully this one is better.As far as BitTorrent goes, I uninstalled that prgram months ago. There isn't a folder in my programs called that.WinReanimator is very recent and IMHO, the source of my agony. I don't recall ever installing that, though I did uninstall it last week when I discovered it.It doesn't exist in the file structure as far as I can tell.These guys:HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hideO4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimizedmust be coming from my registry right? Should I go in and delete those entries?In any case here is my new HJT log. Thanks for the quick reply.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:34:43 AM, on 4/7/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\BOINC\boincmgr.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\BOINC\boinc.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\mdm.exeC:\Program Files\Microsoft Office\Office\OUTLOOK.EXEC:\WINDOWS\system32\sol.exeC:\Program Files\Cisco Systems\VPN Client\vpngui.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\DEVENV.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptopO2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hideO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exeO4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptopO15 - Trusted Zone: http://www.tdameritrade.comO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72O20 - AppInit_DLLs: cru629.datO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe--End of file - 8260 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted April 7, 2008 ID:15788 Share Posted April 7, 2008 Hi again. You have more than one source of misery. Most likely bundled with the Winreanimator but we can't be sure. Run HJT again in scan only and put a check next to these lines.O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hideO4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimizedO20 - AppInit_DLLs: cru629.datNow please get this tool:1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
jimnbarb Posted April 7, 2008 Author ID:15793 Share Posted April 7, 2008 I had a question.You said to run Hijack this and put check marks next to certain items.Do I do anything after that point, like run "Fix Check" or something? or do I just produce another log? Link to post Share on other sites More sharing options...
JeanInMontana Posted April 8, 2008 ID:15837 Share Posted April 8, 2008 Ooops yes click fix after you check mark those lines. Sorry Link to post Share on other sites More sharing options...
jimnbarb Posted April 8, 2008 Author ID:15842 Share Posted April 8, 2008 Here is my latest HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:38:41 AM, on 4/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\BOINC\boincmgr.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\BOINC\boinc.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\mdm.exeC:\Program Files\Microsoft Office\Office\OUTLOOK.EXEC:\Program Files\Cisco Systems\VPN Client\vpngui.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXER1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptopO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exeO4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptopO15 - Trusted Zone: http://www.tdameritrade.comO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe--End of file - 7799 bytes Link to post Share on other sites More sharing options...
jimnbarb Posted April 8, 2008 Author ID:15844 Share Posted April 8, 2008 OK, Combo Fix ran w/o any apparent errors. What next? This is getting kind of fun!Here is the resulting log from the ComboFix exe:ComboFix 08-04-07.5 - jantonio 2008-04-08 9:41:31.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.463 [GMT -7:00]Running from: C:\temp\ComboFix\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.comC:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\played_list.solC:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\video_queue.solC:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.comC:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.solC:\temp\Temporary Internet Files\aserybyz._dlC:\temp\Temporary Internet Files\puqazuhek.binC:\WINDOWS\system32\duis.txtC:\WINDOWS\system32\msindc.dllD:\Autorun.inf.((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 ))))))))))))))))))))))))))))))).2008-04-08 09:39 . 2008-04-08 09:39 <DIR> d-------- C:\temp\ComboFix2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM202008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for2008-03-23 01:25 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype2008-03-10 14:56 . 2008-04-08 09:34 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys2008-03-08 05:06 . 2008-03-08 05:06 <DIR> d-------- C:\WINDOWS\SQLTools9_KB932557_ENU2008-03-08 05:05 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-04-08 16:49 --------- d-----w C:\Program Files\BOINC2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.62008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064]"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178]"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208]"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600]"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534]"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840]"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664]Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056]Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480]HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\WINDOWS\\system32\\mmc.exe"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"="C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"="C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe"=R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11]R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06]S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [].**************************************************************************catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-08 09:49:14Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????>????|?????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yeyqase]"ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis".------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\BOINC\boinc.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\WINDOWS\system32\wscntfy.exe.**************************************************************************.Completion time: 2008-04-08 9:54:18 - machine was rebootedComboFix-quarantined-files.txt 2008-04-08 16:54:14Pre-Run: 47,158,390,784 bytes freePost-Run: 47,158,026,240 bytes free.2008-03-22 19:05:17 --- E O F --- Link to post Share on other sites More sharing options...
JeanInMontana Posted April 8, 2008 ID:15847 Share Posted April 8, 2008 Several things were removed. Let's get a new scan with MBAM too be sure to update. HJT log please and how is the system running now? Link to post Share on other sites More sharing options...
jimnbarb Posted April 8, 2008 Author ID:15849 Share Posted April 8, 2008 Drat, those same 2 files are back again.Here is the latest MB log, HJT log to follow.Malwarebytes' Anti-Malware 1.11Database version: 600Scan type: Full Scan (C:\|D:\|)Objects scanned: 144841Time elapsed: 42 minute(s), 32 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\TEMP\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\TEMP\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
jimnbarb Posted April 8, 2008 Author ID:15850 Share Posted April 8, 2008 Latest HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:06:02 AM, on 4/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\BOINC\boincmgr.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\BOINC\boinc.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\Program Files\Microsoft Office\Office\OUTLOOK.EXEC:\Program Files\Cisco Systems\VPN Client\vpngui.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\system32\mdm.exeC:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptopO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exeO4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptopO15 - Trusted Zone: http://www.tdameritrade.comO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe--End of file - 8263 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted April 9, 2008 ID:15897 Share Posted April 9, 2008 Those two things MBAM is showing are temp files. We will do a cleanup of those.Please upload this file C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe to here . This will ensure it gets added to the data base for future removals. Please upload the file C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe to here and post the results in your next reply. We will make sure it is malware this way.Now let's sweep the mud out. Get the program here and scan with it remove what it finds. Now please get this tool.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
jimnbarb Posted April 9, 2008 Author ID:15902 Share Posted April 9, 2008 OK, the file was uploaded to your site:Isn't this file needed for my Visual Studio to continue functioning?VirusTotal scan log follows:File DEVENV.EXE received on 04.09.2008 17:43:15 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/32 (0%)Loading server information... Your file is queued in position: 9.Estimated start time is between 66 and 94 seconds.Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment,results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.4.9.0 2008.04.09 - AntiVir 7.6.0.81 2008.04.09 - Authentium 4.93.8 2008.04.09 - Avast 4.8.1169.0 2008.04.09 - AVG 7.5.0.516 2008.04.09 - BitDefender 7.2 2008.04.09 - CAT-QuickHeal 9.50 2008.04.08 - ClamAV 0.92.1 2008.04.09 - DrWeb 4.44.0.09170 2008.04.09 - eSafe 7.0.15.0 2008.04.09 - eTrust-Vet 31.3.5684 2008.04.09 - Ewido 4.0 2008.04.09 - F-Prot 4.4.2.54 2008.04.08 - F-Secure 6.70.13260.0 2008.04.09 - FileAdvisor 1 2008.04.09 - Fortinet 3.14.0.0 2008.04.09 - Ikarus T3.1.1.26 2008.04.09 - Kaspersky 7.0.0.125 2008.04.09 - McAfee 5269 2008.04.08 - Microsoft 1.3408 2008.04.09 - NOD32v2 3013 2008.04.09 - Norman 5.80.02 2008.04.09 - Panda 9.0.0.4 2008.04.08 - Prevx1 V2 2008.04.09 - Rising 20.39.12.00 2008.04.08 - Sophos 4.28.0 2008.04.09 - Sunbelt 3.0.1032.0 2008.04.08 - Symantec 10 2008.04.09 - TheHacker 6.2.92.269 2008.04.09 - VBA32 3.12.6.4 2008.04.06 - VirusBuster 4.3.26:9 2008.04.08 - Webwasher-Gateway 6.6.2 2008.04.09 - Additional information File size: 264464 bytes MD5...: fd98dc9ba3d3d5690699156d9eab310e SHA1..: 1fe260ae0574e0c4dd9149f640d171e6b98afeea SHA256: f210161162f1b5e744733fa53ea83961b59ce09282694384002b28a6f238cc8c SHA512: e0b214365affee1eeeabd004e6b5f83cd3031c451af2b6f9a1ee0a61d26b1b7b3800e095ad3c574f84f4710081b3784096a96612e6f4c1c6b69f345c6a3321c3 PEiD..: InstallShield 2000 PEInfo: PE Structure information( base data )entrypointaddress.: 0x401172timedatestamp.....: 0x3587655b (Wed Jun 17 06:42:35 1998)machinetype.......: 0x14c (I386)( 3 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x2eba 0x3000 6.22 c0aea2c0b6bab8a932769f083eeebeeb.data 0x4000 0x250 0x400 0.48 16add10d5629c6961abca98e1bdd858c.rsrc 0x5000 0x3cc68 0x3ce00 4.79 a4c84968e659bf9232ed9a5ba70f440f( 6 imports ) > KERNEL32.dll: FindResourceA, FreeResource, SizeofResource, LoadResource, lstrlenA, LoadLibraryA, CreateDirectoryA, GetStartupInfoA, GetModuleHandleA, lstrcpyA, lstrcmpA, lstrcatA, IsDBCSLeadByte, GetFileAttributesA, lstrcmpiA, GetProcAddress> USER32.dll: EndPaint, BeginPaint, LoadBitmapA, DefWindowProcA, GetSystemMetrics, SystemParametersInfoA, CharNextA, wsprintfA, LoadStringA, DestroyWindow, MessageBoxA, UpdateWindow, CreateWindowExA, RegisterClassA, ReleaseDC, OffsetRect, InflateRect, DrawTextA, GetDC> GDI32.dll: SelectObject, CreatePalette, SetTextColor, TextOutA, DeleteObject, DeleteDC, GetObjectA, SetBkMode, CreateFontIndirectA, GetTextExtentPoint32A, GetStockObject, Rectangle, SelectPalette, GetDeviceCaps, CreateDIBitmap, SetStretchBltMode, RealizePalette, CreateCompatibleDC, BitBlt> ADVAPI32.dll: RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegOpenKeyExA, RegOpenKeyA, RegQueryValueA, RegCloseKey> SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc> MSVCRT.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, strchr, free, malloc, _controlfp( 0 exports ) Link to post Share on other sites More sharing options...
JeanInMontana Posted April 9, 2008 ID:15904 Share Posted April 9, 2008 Yes it looks like it is legit. I had found some instances where the file was bad with the same name. Malware does this, names itself after known good files. Please continue with the rest of my instructions. Link to post Share on other sites More sharing options...
jimnbarb Posted April 9, 2008 Author ID:15906 Share Posted April 9, 2008 Here is the combofix log:ComboFix 08-04-08.10 - jantonio 2008-04-09 9:31:26.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -7:00]Running from: C:\temp\ComboFix\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 ))))))))))))))))))))))))))))))).2008-04-09 09:01 . 2008-04-09 09:01 <DIR> d-------- C:\Program Files\CCleaner2008-04-09 08:59 . 2008-04-09 09:00 <DIR> d-------- C:\temp\CCleaner2008-04-08 09:39 . 2008-04-09 09:11 <DIR> d-------- C:\temp\ComboFix2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM202008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for2008-03-23 01:25 . 2008-04-08 10:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype2008-03-10 14:56 . 2008-04-09 08:58 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-04-09 15:32 --------- d-----w C:\Program Files\BOINC2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll2008-03-23 07:21 10,565 ----a-w C:\WINDOWS\system32\kirini.bat2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.62008-03-08 12:05 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.22008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys.((((((((((((((((((((((((((((( snapshot@2008-04-08_ 9.54.01.39 ))))))))))))))))))))))))))))))))))))))))).- 2008-04-07 15:02:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat+ 2008-04-08 23:00:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat- 2008-04-07 15:02:10 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat+ 2008-04-08 23:00:09 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064]"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178]"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208]"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600]"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534]"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840]"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664]Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056]Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480]HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\WINDOWS\\system32\\mmc.exe"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"="C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"="C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe"=R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11]R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06]S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [].**************************************************************************catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-09 09:34:57Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????=????|?????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\yeyqase]"ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis".Completion time: 2008-04-09 9:36:18ComboFix-quarantined-files.txt 2008-04-09 16:36:00ComboFix2.txt 2008-04-08 16:54:18Pre-Run: 48,742,395,904 bytes freePost-Run: 48,735,064,064 bytes free.2008-03-22 19:05:17 --- E O F --- Link to post Share on other sites More sharing options...
jimnbarb Posted April 9, 2008 Author ID:15907 Share Posted April 9, 2008 Here's the latest HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:40:40 AM, on 4/9/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\BOINC\boincmgr.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\BOINC\boinc.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Cisco Systems\VPN Client\vpngui.exeC:\Program Files\Microsoft Office\Office\OUTLOOK.EXEC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\system32\mdm.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptopO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exeO4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptopO15 - Trusted Zone: http://www.tdameritrade.comO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.webex.com/client/T25L/webex/ieatgpc.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe--End of file - 8222 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted April 9, 2008 ID:15916 Share Posted April 9, 2008 Hi Jim. How are things running? O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background I should have had you remove that one too. sorry.Nothing is showing in the HJT log. But I would like your feedback. Link to post Share on other sites More sharing options...
jimnbarb Posted April 9, 2008 Author ID:15925 Share Posted April 9, 2008 Does that mean my machine is rid of its infection?As far as my machine goes...My machine still seems very sluggish, especially when loading web pages.I also am noticing that the little idiot light that goes off whenever the laptop is doing some "thinking" flashes on and off about once a second.I'm pretty sure (though not 100%) that is wasn't doing that before.Right when this whole thing started my provider (Comcast) blocked my default email port because apparently my machine was spewing email.I can't help but think it might still be trying to do that (though I have no real evidence).Since I do WebDev for a living, being able to refresh web pages quickly is key. Right now its averaging about 1 min per page reload.Any ideas? Link to post Share on other sites More sharing options...
JeanInMontana Posted April 10, 2008 ID:15967 Share Posted April 10, 2008 No it does not mean your clean and with your added information my best advice is you reformat. Your system was part of a spambot net. That means you have a root kit allowing someone else to control the machine. There is no guarantee we can ever remove it without a reformat. You should notify all banks, credit cards any place with sensitive information and change all passwords. You may have had your identity stolen. Link to post Share on other sites More sharing options...
jimnbarb Posted April 10, 2008 Author ID:15972 Share Posted April 10, 2008 Well that is the worst possible news.Though from looking around this site, it is often the case.Having never done that before, I'm wondering if you know of a good resource to read up on what the steps are for reformatting? Link to post Share on other sites More sharing options...
JeanInMontana Posted April 10, 2008 ID:15973 Share Posted April 10, 2008 Jim it's the cases when we know the systems have been compromised in the way yours has been we have to recommend a reformat out of responsibility to the user. Please don't think it is anything to do with the site or the tools we have used. It is the nature of the malware. Since you don't have any "clues" so to speak even showing it, and yet we know you have been compromised I have no confidence we will get it. You must have got something very new that no one has been able to track down yet. I would not just quit you if I thought we had a good chance of cleaning your system. The people behind these tools work nonstop at finding the new stuff and ways to get rid of it. They do it for free. When you bought your PC did you get the full CD for Windows? Or any CD actually. You have an HP and they usually have a recovery partition. However, it could also be infected. If you have the CD for Windows it is simple stick it in and choose the reformat or reinstall option. You should be able to back up to CD anything you need to save now before you lose it. You have a HP and my experience with them has been great in customer service if your still under warranty, use it. Also check out the built in Help section. I'm sure you can order a full Windows CD from them too and maybe get it cheaper, I got mine for $10.00 when I bought the machine.Let me know if you need more info. I am so very sorry to have to be the one to give you this news. I truly think this is the best route. I will give you some tips on preventing this in the future to in closing remarks. Link to post Share on other sites More sharing options...
jimnbarb Posted April 12, 2008 Author ID:16067 Share Posted April 12, 2008 I do not have any problem with the software you told me to run or your advice.It all seemed relevant, useful and delivered in a timely manner.I have nothing but praise for you.However, its going to be a week before I can bring my machine down for an indeterminate amount of time.Once I do the reformat and put my machine back together I will report back.All passwords to critical information has been changed via another computer.Thanks for the heads up on that as well.Any advice in this endeavor is appreciated.Thanks again, I will post once I am back in shape. Link to post Share on other sites More sharing options...
JeanInMontana Posted April 13, 2008 ID:16110 Share Posted April 13, 2008 If this machine is networked you might have all machines connected infected. You should keep it offline until you reformat. Reformatting itself doesn't take that long. It's the reinstalling of all the software and Windows updates that takes a long time and tweaking your personal settings etc. DO NOT get back on line with out a good firewall. Down load and burn to a disk if need be. Or use the Windows one and get a decent firewall and then continue with updates etc. Link to post Share on other sites More sharing options...
Recommended Posts