mwebb Posted October 7, 2008 ID:30084 Share Posted October 7, 2008 I'm trying to remove a SpyBot@MXt malware and i can't boot up in safe mode. I'm not sure if the virus has affected my ability to do this or not since I haven't used safe mode in some time. Has this happened to anyone before? Any suggestions on a work-around? Can I still remove SpyBot@MXt with booting up is safe mode? Thanks Link to post Share on other sites More sharing options...
JeanInMontana Posted October 7, 2008 ID:30086 Share Posted October 7, 2008 Hi mwebb and welcome to Malwarebytes. Are you able to boot at all? If you can boot up please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 Link to post Share on other sites More sharing options...
mwebb Posted October 8, 2008 Author ID:30088 Share Posted October 8, 2008 Hi mwebb and welcome to Malwarebytes. Are you able to boot at all? If you can boot up please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936Yes. I am able to boot in "normal mode". Thank you so much for the quick reply and help here. Before I start, do any of the downloads that you suggest cost any money...specifically Malwarebytes Anti-Malware? I just didn't want to get into this and then realize there was a cost associated with any SW. Thanks Link to post Share on other sites More sharing options...
JeanInMontana Posted October 8, 2008 ID:30116 Share Posted October 8, 2008 Nope it's all free. Link to post Share on other sites More sharing options...
mwebb Posted October 8, 2008 Author ID:30171 Share Posted October 8, 2008 Here are the logs that you requested. I've added them as attachments. I couldn't attach the HiJackThis file so i pasted it below. Please let me know what the next steps should be. Thanks. MikeMalwarebytes' Anti-Malware 1.28Database version: 1242Windows 5.1.2600 Service Pack 210/8/2008 8:57:55 AMmbam-log-2008-10-08 (08-57-55).txtScan type: Quick ScanObjects scanned: 55176Time elapsed: 4 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 8Registry Values Infected: 3Registry Data Items Infected: 4Folders Infected: 1Files Infected: 14Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\w123.w123mgr (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\w123.w123mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{afc8a14f-b50a-4f0f-8fb7-77982092d81d} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://*.compaq.comO15 - Trusted Zone: *.cpqcorp.netO15 - Trusted Zone: http://*.dcu.orgO15 - Trusted Zone: http://*.dec.comO15 - Trusted Zone: *.hp.comO15 - Trusted Zone: http://*.hpe-learning.comO15 - Trusted Zone: *.hpqcorp.netO15 - Trusted Zone: *.hpshopping.comO15 - Trusted Zone: http://*.tandem.comO15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cabO16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CABO16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://genview.gensurvey.com/download/CfxIEAx.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabO16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cabO16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cabO16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cabO16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://g1t0061.austin.hp.com/hp/capicom.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.netO17 - HKLM\System\CCS\Services\Tcpip\..\{C90AE409-D5EC-4EC6-9086-5DCB048560B2}: NameServer = 16.110.135.51 16.110.135.52O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exeO23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exeO23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exeO23 - Service: Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intelmbam_log_2008_10_08__08_57_55_.txtActiveScan.txtmbam_log_2008_10_08__08_57_55_.txtActiveScan.txt Link to post Share on other sites More sharing options...
mwebb Posted October 9, 2008 Author ID:30218 Share Posted October 9, 2008 Nope it's all free.any answer to the logs i forwarded? Link to post Share on other sites More sharing options...
JeanInMontana Posted October 9, 2008 ID:30243 Share Posted October 9, 2008 Hi please post all logs in the body of your reply, not as attachments. Delete the special tool SDFix and all files and folders associated with it.Run HJT again in scan only mode and place a check next to the following lines then click fix.R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankO9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)RebootYou are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here Adobe Acrobat Reader latest version. Or get the alternative faster lighter on resources Foxit PDF Reader and Editor Look at the Downloads tab here or Downloads if you don't want to see the features etc.Now update MBAM and run another quick scan. Post that log here and a new HJT log. We will see what is left if anything. Link to post Share on other sites More sharing options...
mwebb Posted October 9, 2008 Author ID:30293 Share Posted October 9, 2008 here are the other two logs pasted below..... I will make the changes you requested in about an hour. Thanks so much!Malwarebytes' Anti-Malware 1.28Database version: 1242Windows 5.1.2600 Service Pack 210/8/2008 8:57:55 AMmbam-log-2008-10-08 (08-57-55).txtScan type: Quick ScanObjects scanned: 55176Time elapsed: 4 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 8Registry Values Infected: 3Registry Data Items Infected: 4Folders Infected: 1Files Infected: 14Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\w123.w123mgr (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\w123.w123mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{afc8a14f-b50a-4f0f-8fb7-77982092d81d} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cfee97a3-4911-444d-8be8-e243a23d3de2} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.Folders Infected:C:\WINDOWS\system32\590075 (Trojan.BHO) -> Quarantined and deleted successfully.Files Infected:C:\Program Files\Applications\iebr.dll (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\iebt.dll (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\mwebb\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\mwebb\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\mwebb\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\mwebb\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.Active Scan;***********************************************************************************************************************************************************************************ANALYSIS: 2008-10-08 11:12:23PROTECTIONS: 1MALWARE: 11SUSPECTS: 2;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================Symantec Endpoint Protection 11.0.2010.7 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00041904 adware/sidesearch Adware No 0 Yes No hkey_classes_root\sep.av.scandlgs00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\classes\sep.av.scandlgs00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@trafficmp[1].txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@doubleclick[1].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@atdmt[2].txt00139535 Application/Processor HackTools No 0 Yes No C:\RECYCLER\S-1-5-21-839522115-1383384898-515967899-322104\Dc48.exe00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe00139535 Application/Processor HackTools No 0 Yes No C:\Temp\SmitfraudFix\SmitfraudFix.zip[smitfraudFix/Process.exe]00139535 Application/Processor HackTools No 0 No No C:\Temp\Virus\SDFix.exe[C:\Temp\Virus\SDFix.exe][sDFix\apps\Process.exe]00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@tribalfusion[2].txt00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@com[2].txt00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@xiti[1].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@advertising[1].txt00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\mwebb\Cookies\mwebb@atwola[2].txt03738686 Generic Malware Virus/Trojan No 0 No No C:\Temp\Virus\SDFix.exe[C:\Temp\Virus\SDFix.exe][sDFix\catchme.exe]03738686 Generic Malware Virus/Trojan No 0 No No C:\Temp\Virus\SDFix.exe[C:\Temp\Virus\SDFix.exe][sDFix\apps\Cghtme.exe]03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\catchme.exe03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\apps\Cghtme.exe;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================No C:\Documents and Settings\All Users\Application Data\Apple\Installer Cache\Apple Mobile Device Support 2.1.0.25\AppleMobileDeviceSupport.msi[unk_0051][EventFixer.exe]No C:\Program Files\Common Files\Apple\Mobile Device Support\bin\EventFixer.exe ;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;=================================================================================================================================================================================== 184380 MEDIUM MS08-002 182048 HIGH MS07-069 ;=================================================================================================================================================================================== Link to post Share on other sites More sharing options...
JeanInMontana Posted October 9, 2008 ID:30297 Share Posted October 9, 2008 You need to update MBAM and scan. Post that log. And a log from HJT, not Panda. I want all new logs. MBAM is two definition versions from what your using. Link to post Share on other sites More sharing options...
mwebb Posted October 9, 2008 Author ID:30332 Share Posted October 9, 2008 You need to update MBAM and scan. Post that log. And a log from HJT, not Panda. I want all new logs. MBAM is two definition versions from what your using.I didn't remove Java and Adobe Acrobat Reader as I am on a Common Operating Environment with my company and these are the latest versions they support. i did remove what you told be in HiJakThis. Below are my latest logs.thanks so much. Hopefully I'm near the end!Malwarebytes' Anti-Malware 1.28Database version: 1248Windows 5.1.2600 Service Pack 210/9/2008 3:24:33 PMmbam-log-2008-10-09 (15-24-33).txtScan type: Quick ScanObjects scanned: 57647Time elapsed: 5 minute(s), 18 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:26:31 PM, on 10/9/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exec:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Symantec AntiVirus\Smc.exeC:\Program Files\Symantec AntiVirus\SNAC.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\ActivCard\acautoreg.exeC:\Program Files\Common Files\ActivCard\accoca.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Memeo\AutoBackup\MemeoService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Remote tools\msraLinkMonitor.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec AntiVirus\SmcGui.exeC:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exeC:\Program Files\Hewlett-Packard\PC COE\IDA.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\AccelerometerSt.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXEC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\ActivCard\ActivCard Gold\agquickp.exeC:\Program Files\Microsoft Office Communicator\communicator.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\Jabber\Messenger\JabberMessenger.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Hewlett-Packard\OutlookUtility\HP.OutlookUtility.TaskbarNotifier.exeC:\Program Files\Memeo\AutoBackup\MemeoBackup.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\AIM6\aolsoftware.exeC:\WINDOWS\system32\CMMON32.EXEC:\PROGRA~1\HPAVAD~1\avChgSvc.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compaq.comO15 - Trusted Zone: *.cpqcorp.netO15 - Trusted Zone: http://*.dcu.orgO15 - Trusted Zone: http://*.dec.comO15 - Trusted Zone: *.hp.comO15 - Trusted Zone: http://*.hpe-learning.comO15 - Trusted Zone: *.hpqcorp.netO15 - Trusted Zone: *.hpshopping.comO15 - Trusted Zone: http://*.tandem.comO15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cabO16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CABO16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://genview.gensurvey.com/download/CfxIEAx.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabO16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cabO16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cabO16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cabO16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://g1t0061.austin.hp.com/hp/capicom.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.netO17 - HKLM\System\CCS\Services\Tcpip\..\{C90AE409-D5EC-4EC6-9086-5DCB048560B2}: NameServer = 16.110.135.51 16.110.135.52O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exeO23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exeO23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exeO23 - Service: Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exeO23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYSO23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeO23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeO23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--End of file - 18164 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted October 10, 2008 ID:30355 Share Posted October 10, 2008 Java and Adobe are both free; the company doesn't need to support them, but I'll guarantee you'll be infected again if you don't update them.Remove this line with HJTO23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)Now update MBAM again and run a quick scan, post the log. Link to post Share on other sites More sharing options...
mwebb Posted October 10, 2008 Author ID:30380 Share Posted October 10, 2008 Java and Adobe are both free; the company doesn't need to support them, but I'll guarantee you'll be infected again if you don't update them.Remove this line with HJTO23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)Now update MBAM again and run a quick scan, post the log.Thanks. You convinced me. I've added teh altest Adobe and Java. I removed O23. Here is the latest log. Thanks.Malwarebytes' Anti-Malware 1.28Database version: 1248Windows 5.1.2600 Service Pack 210/9/2008 10:50:07 PMmbam-log-2008-10-09 (22-50-07).txtScan type: Quick ScanObjects scanned: 58120Time elapsed: 5 minute(s), 44 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
JeanInMontana Posted October 10, 2008 ID:30393 Share Posted October 10, 2008 Did you update MBAM? Update run a quick scan and I need a HJT log please. Link to post Share on other sites More sharing options...
mwebb Posted October 10, 2008 Author ID:30431 Share Posted October 10, 2008 Did you update MBAM? Update run a quick scan and I need a HJT log please.I ran an update (ver 1251). MBAM and HJT log below.Malwarebytes' Anti-Malware 1.28Database version: 1251Windows 5.1.2600 Service Pack 210/10/2008 9:37:33 AMmbam-log-2008-10-10 (09-37-33).txtScan type: Quick ScanObjects scanned: 42673Time elapsed: 3 minute(s), 40 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)======================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:38:56 AM, on 10/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exec:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Symantec AntiVirus\Smc.exeC:\Program Files\Symantec AntiVirus\SNAC.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\ActivCard\acautoreg.exeC:\Program Files\Common Files\ActivCard\accoca.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\HPAVAD~1\avChgSvc.exeC:\Program Files\Memeo\AutoBackup\MemeoService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Remote tools\msraLinkMonitor.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec AntiVirus\SmcGui.exeC:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exeC:\Program Files\Hewlett-Packard\PC COE\IDA.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\AccelerometerSt.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXEC:\Program Files\ActivCard\ActivCard Gold\agquickp.exeC:\Program Files\Microsoft Office Communicator\communicator.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\Jabber\Messenger\JabberMessenger.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Hewlett-Packard\OutlookUtility\HP.OutlookUtility.TaskbarNotifier.exeC:\Program Files\Memeo\AutoBackup\MemeoBackup.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compaq.comO15 - Trusted Zone: *.cpqcorp.netO15 - Trusted Zone: http://*.dcu.orgO15 - Trusted Zone: http://*.dec.comO15 - Trusted Zone: *.hp.comO15 - Trusted Zone: http://*.hpe-learning.comO15 - Trusted Zone: *.hpqcorp.netO15 - Trusted Zone: *.hpshopping.comO15 - Trusted Zone: http://*.tandem.comO15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cabO16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CABO16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://genview.gensurvey.com/download/CfxIEAx.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabO16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cabO16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cabO16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://g1t0061.austin.hp.com/hp/capicom.cabO16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exeO23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exeO23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exeO23 - Service: Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exeO23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYSO23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeO23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeO23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--End of file - 18788 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted October 10, 2008 ID:30441 Share Posted October 10, 2008 The logs look clean. How is it running? Link to post Share on other sites More sharing options...
mwebb Posted October 10, 2008 Author ID:30451 Share Posted October 10, 2008 The logs look clean. How is it running?Seems to be running really well. A whole lot better! i did just have a problem with IE in that it hung up while searching for a page and i had to "end task" and re-open, but it worked great from that point on.Thank you so much for you help on this!Mike Link to post Share on other sites More sharing options...
mwebb Posted October 10, 2008 Author ID:30454 Share Posted October 10, 2008 The logs look clean. How is it running?I've been using IE for the past 30 minutes and it is geting hung up, sometimes, when i click on a link. Also, I can't always go back when clicking on the back button. Do you know why this is occuring? It wasn't happening before. Thanks! Link to post Share on other sites More sharing options...
JeanInMontana Posted October 10, 2008 ID:30458 Share Posted October 10, 2008 I really don't like or use IE. Your using an older version and your missing the latest Service Pack for XP. Let's see one more log from MBAM. Be sure to update before the scan. Link to post Share on other sites More sharing options...
mwebb Posted October 10, 2008 Author ID:30461 Share Posted October 10, 2008 I really don't like or use IE. Your using an older version and your missing the latest Service Pack for XP. Let's see one more log from MBAM. Be sure to update before the scan.While last time there were no infections found, this scan found the same 5 again....shoot!Malwarebytes' Anti-Malware 1.28Database version: 1252Windows 5.1.2600 Service Pack 210/10/2008 2:58:35 PMmbam-log-2008-10-10 (14-58-35).txtScan type: Quick ScanObjects scanned: 59249Time elapsed: 5 minute(s), 42 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
JeanInMontana Posted October 11, 2008 ID:30493 Share Posted October 11, 2008 Probably new stuff added with the update. I need a HJT log too please. Also update MBAM again, there is another version of the definitions. Link to post Share on other sites More sharing options...
mwebb Posted October 11, 2008 Author ID:30503 Share Posted October 11, 2008 Probably new stuff added with the update. I need a HJT log too please. Also update MBAM again, there is another version of the definitions.Here you go!Malwarebytes' Anti-Malware 1.28Database version: 1253Windows 5.1.2600 Service Pack 210/10/2008 7:39:38 PMmbam-log-2008-10-10 (19-39-38).txtScan type: Quick ScanObjects scanned: 59082Time elapsed: 5 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:40:45 PM, on 10/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exec:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Symantec AntiVirus\Smc.exeC:\Program Files\Symantec AntiVirus\SNAC.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\ActivCard\acautoreg.exeC:\Program Files\Common Files\ActivCard\accoca.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\HPAVAD~1\avChgSvc.exeC:\Program Files\Memeo\AutoBackup\MemeoService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Remote tools\msraLinkMonitor.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec AntiVirus\SmcGui.exeC:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exeC:\Program Files\Hewlett-Packard\PC COE\IDA.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\AccelerometerSt.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\ActivCard\ActivCard Gold\agquickp.exeC:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXEC:\Program Files\Microsoft Office Communicator\communicator.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\Jabber\Messenger\JabberMessenger.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Hewlett-Packard\OutlookUtility\HP.OutlookUtility.TaskbarNotifier.exeC:\Program Files\Memeo\AutoBackup\MemeoBackup.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compaq.comO15 - Trusted Zone: *.cpqcorp.netO15 - Trusted Zone: http://*.dcu.orgO15 - Trusted Zone: http://*.dec.comO15 - Trusted Zone: *.hp.comO15 - Trusted Zone: http://*.hpe-learning.comO15 - Trusted Zone: *.hpqcorp.netO15 - Trusted Zone: *.hpshopping.comO15 - Trusted Zone: http://*.tandem.comO15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cabO16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CABO16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://genview.gensurvey.com/download/CfxIEAx.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabO16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cabO16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cabO16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://g1t0061.austin.hp.com/hp/capicom.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exeO23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exeO23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exeO23 - Service: Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exeO23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYSO23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeO23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeO23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--End of file - 18573 bytes Link to post Share on other sites More sharing options...
mwebb Posted October 12, 2008 Author ID:30577 Share Posted October 12, 2008 Any suggestions on what to do after analyzing my last logs?? Thanks. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 12, 2008 ID:30579 Share Posted October 12, 2008 Update MBAM do a quick scan. Post that log and a new HJT log. Link to post Share on other sites More sharing options...
mwebb Posted October 13, 2008 Author ID:30673 Share Posted October 13, 2008 Here are my latest updated logs.Malwarebytes' Anti-Malware 1.28Database version: 1261Windows 5.1.2600 Service Pack 210/12/2008 5:59:40 PMmbam-log-2008-10-12 (17-59-40).txtScan type: Quick ScanObjects scanned: 56744Time elapsed: 4 minute(s), 54 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:01:05 PM, on 10/12/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exec:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Symantec AntiVirus\Smc.exeC:\Program Files\Symantec AntiVirus\SNAC.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\ActivCard\acautoreg.exeC:\Program Files\Common Files\ActivCard\accoca.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\HPAVAD~1\avChgSvc.exeC:\Program Files\Memeo\AutoBackup\MemeoService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Remote tools\msraLinkMonitor.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeC:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec AntiVirus\SmcGui.exeC:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exeC:\Program Files\Hewlett-Packard\PC COE\IDA.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\AccelerometerSt.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXEC:\Program Files\ActivCard\ActivCard Gold\agquickp.exeC:\Program Files\Microsoft Office Communicator\communicator.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\Jabber\Messenger\JabberMessenger.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Hewlett-Packard\OutlookUtility\HP.OutlookUtility.TaskbarNotifier.exeC:\Program Files\Memeo\AutoBackup\MemeoBackup.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compaq.comO15 - Trusted Zone: *.cpqcorp.netO15 - Trusted Zone: http://*.dcu.orgO15 - Trusted Zone: http://*.dec.comO15 - Trusted Zone: *.hp.comO15 - Trusted Zone: http://*.hpe-learning.comO15 - Trusted Zone: *.hpqcorp.netO15 - Trusted Zone: *.hpshopping.comO15 - Trusted Zone: http://*.tandem.comO15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cabO16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CABO16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://genview.gensurvey.com/download/CfxIEAx.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabO16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cabO16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cabO16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://g1t0061.austin.hp.com/hp/capicom.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.netO17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.netO23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exeO23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exeO23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exeO23 - Service: Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exeO23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYSO23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exeO23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exeO23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--End of file - 18595 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted October 13, 2008 ID:30700 Share Posted October 13, 2008 So how is it running now? MBAM took out a bunch of junk. Link to post Share on other sites More sharing options...
Recommended Posts