Jump to content
jaguar325

Variant on AV2009

Recommended Posts

Hi folks, this is my first post so please forgive any newbie blunders in outlining the problem. I am trying to help a neighbor who got AV2009 onto more than one of his computers. Fixing the first one was a snap -- I ran Malwarebytes one time and it cleaned the system with no recurring issues. Another one of his laptops, an old HP Pavillion, has got something really, really bad going on.

I have run Malwarebytes about 6-7 times in the past 3 days (full scan). The first 2-3 times, it would find lots of things (between 50-60) and, each time, I would follow the instructions to either delete or quarantine them. After a while, I started thinking maybe there was something in the startup procedure that was bringing these gremlins back out so I booted in Safe mode instead, then ran Malwarebytes. Since it can only delete certain files on reboot, I was afraid to do a full reboot to regular Windows, so I shut down, then rebooted to SAFE mode again. Even so, Malwarebytes is continuing to find things each time but, the number has drastically reduced. All it found on the last go-around was 6 instances with about an even split between WinCtrl32.dll and something called Winaj21.sys. Since I was having no sucess getting rid of these via reboot, I tried installing autoruns and unchecked WinCtrl32.dll. Winaj21.sys denied my ability to do this. I tried searching the web for this name and the only hits I got were in Russian and Czech -- using Google translator, I could tell these were forums on Malware but it was not clear what to do. I did not find any English language info on Winaj21.sys.

Any ideas on what to do about this? No matter how many times I have run Malwarebytes, even with rebooting from SAFE mode back to SAFE mode, it does not appear this is fixing the PC. If I try to boot to normal Windows, it gets through the boot sequence then, just as the HP wireless connection software finishes, the system shuts down automatically.

Please help.

Share this post


Link to post
Share on other sites

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a
    .ZIP
    file.

  • Click OK and quit the GMER program.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.
I need you to follow the instructions provided here
first.
I also need for you to download this program
http://oldtimer.geekstogo.com/OTListIt.exe' rel="external nofollow">
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    "Scan All Users"
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

And one final note, if you boot into safemode, mbam will never have the opportunity to delete the files it marked previously for deletion.

Share this post


Link to post
Share on other sites

Thanks, I will work on these steps and get back to you as requested. Will everything you have outlined run in SAFE mode? Or, do I want to somehow try to get the system to stay up in a normal Windows environment to take these steps? I am using another computer to get on the internet and download/upload files because if I invoke SAFE with internet, the auto-shutdown will start again. Thanks also for the tip on needing to do a normal reboot for the file deletions to take hold. I have tried that too but the system shuts down on me afterward.

I don't know if this has any bearing on the situation, but I have noticed that the main AV2009 windows appear to have been eliminated after the first major scans. When the system boots to normal Windows, the only lingering message I sometimes see is the small popup warning of an infection. The last couple of reboots, I haven't seen it so I wonder if the malware that is still there is just the code that forces the shutdown.

Share this post


Link to post
Share on other sites
Thanks, I will work on these steps and get back to you as requested. Will everything you have outlined run in SAFE mode? Or, do I want to somehow try to get the system to stay up in a normal Windows environment to take these steps? I am using another computer to get on the internet and download/upload files because if I invoke SAFE with internet, the auto-shutdown will start again. Thanks also for the tip on needing to do a normal reboot for the file deletions to take hold. I have tried that too but the system shuts down on me afterward.

The steps should be done in normal mode whenever possible. Safe mode disables some drivers temporarily by using another section of the registry, this can cause tools to misreport information to us.

When you say it's shutting down, what exactly do you mean? How is it shutting down?

I don't know if this has any bearing on the situation, but I have noticed that the main AV2009 windows appear to have been eliminated after the first major scans. When the system boots to normal Windows, the only lingering message I sometimes see is the small popup warning of an infection. The last couple of reboots, I haven't seen it so I wonder if the malware that is still there is just the code that forces the shutdown.

You are most likely still infected with something or other.

Can you get me a hijackthis log? That and the logs from OTLIST, and gmer are most important, they provide the most information to me.

Share this post


Link to post
Share on other sites
The steps should be done in normal mode whenever possible. Safe mode disables some drivers temporarily by using another section of the registry, this can cause tools to misreport information to us.

When you say it's shutting down, what exactly do you mean? How is it shutting down?

You are most likely still infected with something or other.

Can you get me a hijackthis log? That and the logs from OTLIST, and gmer are most important, they provide the most information to me.

I tried booting normally again so I could run the scan that way.. as soon as the system initializes all the processes, I get the pop-up "Your computer is infected...." then, within 30 seconds, it shuts down. I tried clicking on gmer before it went into shutdown mode and got nothing. I rebooted in Safe mode, it will stay up that way but, when I click gmer, nothing. I have waited a good 10 mins with no indication it is running. When I open task manager, it does say gmer is running though.

To get you a hijackthis log, is it the same issue? It would be better to have one that ran in a normal Windows environment?

This may or may not be relevant but one thing I do notice is that in the task manager during a normal windows bootup, I get one instance of winvnc4.exe and multiple instances of wmiprvse.exe.. I read somewhere that the latter might be associated with a virus and to try closing the process. When I do that, it starts up another one and it's about the time I see the popup again. Then, the system shuts down.

Share this post


Link to post
Share on other sites

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Share this post


Link to post
Share on other sites

Hi Dustin (and the other person who replied). I've been away from this for a week due to work and other commitments and just found some time this evening to dive back in. I thought I would start with Dustin's original suggestion and, thankfully, had some minor success with it tonight. I hope you will see this and can help.

I turned the affected PC back on and decided to let it boot normally to see what was going on. I was very frustrated last week with the continual boot-up, then reboot scenario I was running into. I noticed that the timing of when the restart process would be invoked was about the time that the wireless LAN connection was firing up. So, I disabled wireless LAN and found that the PC would stay booted-up. I re-ran Malwarebytes and got something like 38 hits during a full scan, then rebooted (wireless LAN still disabled). The PC came back up and stayed up allowing me to re-run Malwarebytes again - this time, it appeared to be finding the same 6 instances of WinCtrl32.dll and Winaj21.sys (4 in registry and 2 in system32 files). After telling it to handle these instances I thought I would try running the GMER scan utility which, up until now, would not initialize (not sure if the malware is able to block these types of programs). It ran and I did a scan. The zip file for this scan is attached as requested. I will take the other steps outlined in Dustin's note tomorrow but I thought I would send what I have in case it gives you any clues.

Given that I seem to be able to keep the system running if I turn off the HP wireless LAN software, I wonder if this is about the same as what I was experiencing when I was booting up in SAFE mode. I was able to boot-up and keep the system running in SAFE mode only when I selected SAFE with no network access. I am not technical enough to know if the malware has infected HP wireless software or if it is smart enough to know to look for an internet connection as part of what it is doing. Any thoughts/suggestions are welcome.

To the other person who replied, I was a little thrown off by your reference to that tool being Linux-based.. will it work with an XP-PC? Is there a need to use such a tool if I have found a way to keep the system up (without network enabled)?

I am pretty confident that if I keep rebooting this way, even if the system will stay up, subsequent runs of Malwarebytes will keep isolating those same 6 instances of WinCtrl32.dll and Winaj21.sys and even though I follow instructions to get rid of them, I keep being told that 4 of the registry entries can only be removed upon reboot - as I do this, they keep getting reloaded somehow.

Thanks for any help you can provide!

GMER.zip

GMER.zip

Share this post


Link to post
Share on other sites
Hi Dustin (and the other person who replied). I've been away from this for a week due to work and other commitments and just found some time this evening to dive back in. I thought I would start with Dustin's original suggestion and, thankfully, had some minor success with it tonight. I hope you will see this and can help.

I turned the affected PC back on and decided to let it boot normally to see what was going on. I was very frustrated last week with the continual boot-up, then reboot scenario I was running into. I noticed that the timing of when the restart process would be invoked was about the time that the wireless LAN connection was firing up. So, I disabled wireless LAN and found that the PC would stay booted-up. I re-ran Malwarebytes and got something like 38 hits during a full scan, then rebooted (wireless LAN still disabled). The PC came back up and stayed up allowing me to re-run Malwarebytes again - this time, it appeared to be finding the same 6 instances of WinCtrl32.dll and Winaj21.sys (4 in registry and 2 in system32 files). After telling it to handle these instances I thought I would try running the GMER scan utility which, up until now, would not initialize (not sure if the malware is able to block these types of programs). It ran and I did a scan. The zip file for this scan is attached as requested. I will take the other steps outlined in Dustin's note tomorrow but I thought I would send what I have in case it gives you any clues.

Given that I seem to be able to keep the system running if I turn off the HP wireless LAN software, I wonder if this is about the same as what I was experiencing when I was booting up in SAFE mode. I was able to boot-up and keep the system running in SAFE mode only when I selected SAFE with no network access. I am not technical enough to know if the malware has infected HP wireless software or if it is smart enough to know to look for an internet connection as part of what it is doing. Any thoughts/suggestions are welcome.

To the other person who replied, I was a little thrown off by your reference to that tool being Linux-based.. will it work with an XP-PC? Is there a need to use such a tool if I have found a way to keep the system up (without network enabled)?

I am pretty confident that if I keep rebooting this way, even if the system will stay up, subsequent runs of Malwarebytes will keep isolating those same 6 instances of WinCtrl32.dll and Winaj21.sys and even though I follow instructions to get rid of them, I keep being told that 4 of the registry entries can only be removed upon reboot - as I do this, they keep getting reloaded somehow.

Thanks for any help you can provide!

Great. As the system will remain online, lets see whats going on with your computer.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.
I need you to follow the instructions provided here
first.
I also need for you to download this program
http://oldtimer.geekstogo.com/OTListIt.exe' rel="external nofollow">
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    "Scan All Users"
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

Share this post


Link to post
Share on other sites

Yes the Avira AntiVir Rescue System does work on a Windows PC and was designed to repair it of Virus and Malware from a bootable CD. They just use Linux as the Operating System to boot and run from because it's free to use and Microsoft PXE is not.

However if you can now run it in normal mode Dustin can help you finish cleaning up the system I'm sure without using it. I only suggested it as you were having trouble getting into Windows.

Share this post


Link to post
Share on other sites

Hi, I will be following your instructions this afternoon while I handle some things for work. In the meantime, I wanted to give a little more information that might be useful. Last night, I hooked the affected PC up tot he internet using a LAN connection and found that it would stay booted up. So, I ran Malwarebytes update to get the latest definition file (dated 11/6). I ran a scan again and found it to be doing the same thing as before: 6 entries were found during a full scan and 4 were not able to be removed without a reboot. Buy, upon reboot, the same 6 get repopulated so there is a continuous loop involved. I put these entries into the attached file and noted which ones are the ones Malwarebytes says it cannot remove without reboot.

Thanks!

Malwarebytes_Report.zip

Malwarebytes_Report.zip

Share this post


Link to post
Share on other sites

I tried the detailed process provided by Dustin, starting with installing/running Spybot. That posed a problem because I got stuck in a continuous loop with it telling me it needed to reboot during scans. I tried doing this which produced no results so I started ignoring it and going through the full scan without acknowledging the reboot messages. It seemed to get stuck on the same recurring files that I could not clean out with multiple attempts with Malwarebytes. Desperate, I tried SuperAntiSpyware, which would not initialize when I first started trying to clean this PC but whatever I have done to get it stable enough to keep running must have been enough to get SuperAntiSpyware to work because I was able to fire it up and run several full scans (with restarts in between). After the third scan/reboot, it came back with a clean report. I thought it was too good to be true so I ran both Spybot and Malwarebytes full scans and they are coming back clean too. Once I was comfortable that the system was clean/stable, I downloaded CA's ISS suite (free from my ISP) - it found a few more items and cleaned them as well. I have been using the system all morning without problem.

I am inclined to think this situation is over for now. My plan for today is to get all the MS software and Firefox updates applied, turn off real-time scanning from Spybot and SuperAntiSpyware and let CA take over - this machine belongs to a person who is not technical and my thinking is that they can get support from the ISP in the future. I'll leave all three programs (Malwarebytes, Spybot and SuperAntiSpyware) installed in case of a need for me to do scans in the future.

Is there any reason I ought to consider taking additional action? If not, thanks for your help!

Share this post


Link to post
Share on other sites

Just to be on the safer side, please provide a fresh hijackthis log.

Share this post


Link to post
Share on other sites
Just to be on the safer side, please provide a fresh hijackthis log.

Hi, hopefully I did this right. Here is the HJT scan log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:59:53 PM, on 11/10/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\ICO.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\FSRremoS.EXE

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\mdmcls32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\svcprs32.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CAGlobal.exe

C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe

C:\Documents and Settings\owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Metrics] "C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe" a

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"

O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: MRI_DISABLED

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1226156650734

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rimsupport.webex.com/client/T23L/support/ieatgpc.cab

O20 - AppInit_DLLs: karna.dat

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

--

End of file - 12361 bytes

Hijack_this_scan_from_jaguar325.zip.zip

Hijack_this_scan_from_jaguar325.zip.zip

Share this post


Link to post
Share on other sites

Hello, sorry for the delay in anyone responding. Please update MBAM, run a quick scan post the log not as an attachment but as a reply in the body of the reply do the same for a new HJT log after the MBAM scan and you remove all that is found.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.