Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Malware Malware
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 04-14-2007, 10:49 AM   #1 (permalink)
Registered User
 
JayPlayer's Avatar
 
Join Date: Apr 2007
Posts: 6
OS: XP


EEK! Malware
I've got the IE pop-up or page re-direct, can anyone help? Below is my HiJack log...thanx

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:36:23 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ProStores\StoreMonitor\StoreMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PayPal\Payment Wizard\PaypalOE.exe
C:\Program Files\Phonic\FireFly302_Firewire\Phonic_cpl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\blcorp\WinCleaner AntiSpyware\WCAntiSpy.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgr.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: (no name) - {4D7C8A39-430F-4091-B9BF-3173DFA06DA0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BFBB91BE-E30E-498D-AEEA-4445D15C3C80} - (no file)
O2 - BHO: (no name) - {C7D6D29B-91E5-4614-A31F-DC2178E67C7C} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE" /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ProStoresStoreMonitor] C:\Program Files\ProStores\StoreMonitor\StoreMonitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1130708498-3586167925-1610440703-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: WCAntiSpy.lnk = C:\Program Files\blcorp\WinCleaner AntiSpyware\WCAntiSpy.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Payment Wizard Options.lnk = ?
O4 - Global Startup: Phonic Control Panel.lnk = C:\Program Files\Phonic\FireFly302_Firewire\Phonic_cpl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157404684250
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://prgnj-ts2.prg.com/tsweb/msrdp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - http://store01.prostores.com/storead...s/pssbedit.cab
O20 - Winlogon Notify: awtsr - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 15120 bytes
JayPlayer is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-20-2007, 06:43 AM   #2 (permalink)
Analyst, Security Team
 
dorts's Avatar
 
Join Date: Mar 2006
Location: Singapore
Posts: 1,603
OS: Windows XP SP2

My System

Re: Malware
Hello and welcome to TSF.

Please read the following.

http://www.techsupportforum.com/secu...ion2-beta.html
__________________




If you think TSF have helped you, please kindly donate to TSF and help keep this site free to all.
dorts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-21-2007, 06:55 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Malware
Hello JayPlayer and welcome,

What we're looking for is the following:

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review.
  • DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

Please include the following in your next reply so we can get started:

Panda results
main.txt
an attached extra.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-21-2007, 07:10 PM   #4 (permalink)
Registered User
 
JayPlayer's Avatar
 
Join Date: Apr 2007
Posts: 6
OS: XP


Re: Malware
My specific malware hijacks my IE after I've closed it and takes me where I don't want to be. I've done the 5 steps and hope I'm posting everything correctly. My Hijack this log is the original thread, below is the panda log, main.txt and attached extra.txt...thanx for the help!


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\WinFlyer32.dll
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atwola[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@errorsafe[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@toplist[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.errorsafe[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.myaffiliateprogram[2].txt
Spyware:Generic Adware Not disinfected C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\SS169K40\ysb_mp3[1].cab[YSBactivex.dll]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ddcyv.dll.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\ybkkfqde.exe.bad
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ricbcxty.dll
Virus:Trj/Alanchum.PO Disinfected Local Folders\Deleted Items\Our Love is Strong\flash postcard.exe
Deckard's System Scanner v20070411.38
Run by HP_Administrator on 2007-04-21 at 10:53:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
142: 2007-04-21 14:53:24 UTC - RP367 - Deckard's System Scanner Restore Point
141: 2007-04-20 22:54:28 UTC - RP366 - System Checkpoint
140: 2007-04-19 18:08:34 UTC - RP365 - System Checkpoint
139: 2007-04-18 17:24:17 UTC - RP364 - System Checkpoint
138: 2007-04-17 15:49:51 UTC - RP363 - CounterSpy - 4/17/2007 11:49:47 AM


-- First Restore Point --
1: 2007-01-21 15:30:24 UTC - RP226 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-04-21 1151
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.0.5730.11)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\QuickTime\qttask.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ProStores\StoreMonitor\StoreMonitor.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\PayPal\Payment Wizard\PAYPALOE.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Phonic\FireFly302_Firewire\Phonic_cpl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\blcorp\WinCleaner AntiSpyware\WCAntiSpy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intuit\QuickBooks 2006\QBDBMgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Temp\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4D7C8A39-430F-4091-B9BF-3173DFA06DA0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: (no name) - {BFBB91BE-E30E-498D-AEEA-4445D15C3C80} - (no file)
O2 - BHO: (no name) - {C7D6D29B-91E5-4614-A31F-DC2178E67C7C} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE" /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ProStoresStoreMonitor] C:\Program Files\ProStores\StoreMonitor\StoreMonitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WCAntiSpy.lnk = C:\Program Files\blcorp\WinCleaner AntiSpyware\WCAntiSpy.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Payment Wizard Options.lnk = C:\Program Files\PayPal\Payment Wizard\PaypalOE.exe
O4 - Global Startup: Phonic Control Panel.lnk = C:\Program Files\Phonic\FireFly302_Firewire\Phonic_cpl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra 'Tools' menuitem: (no name) - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://www.suntrust.com (HKCU)
O15 - Trusted Zone: https://sss-web.usps.com (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} () - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157404684250
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://prgnj-ts2.prg.com/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - http://store01.prostores.com/storead...s/pssbedit.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - "c:\Program Files\Common Files\LightScribe\LSSrvc.exe"
O23 - Service: LiveUpdate - Symantec Corporation - "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE"
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - "C:\Program Files\Prevx1\PXAgent.exe" -f
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - "C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe"
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - "C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe"
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe"
O23 - Service: RoxMediaDB9 - Sonic Solutions - "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe"
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe"
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - "C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe"
O23 - Service: Symantec Core LC - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"


-- HijackThis Fixed Entries (C:\Documents and Settings\HP_Administrator\My Documents\Downloads\backups\) --------------------------------------------------------------------------------

backup-20070331-101400-816 O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
backup-20070331-102354-198 O20 - Winlogon Notify: hggfgeb - C:\WINDOWS\
backup-20070331-102354-611 O20 - Winlogon Notify: jkhhi - C:\WINDOWS\
backup-20070331-173605-765 O2 - BHO: (no name) - {371C9EAF-CB34-4304-8C51-52A08FDA9F48} - (no file)
backup-20070331-173605-848 O2 - BHO: (no name) - {0B496413-6E25-4AD6-B501-459019F04BA4} - (no file)
backup-20070331-190325-295 O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ricbcxty.dll",setvm
backup-20070409-230220-636 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 AVG Anti-Rootkit - c:\windows\system32\drivers\avgarkt.sys
R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys
R0 PrevxDriver (PREVX Kernel Mode Agent) - c:\windows\system32\drivers\pxfsf.sys
R0 SBHR - c:\windows\system32\drivers\sbhr.sys
R1 AvgArCln (Avg Anti-Rootkit Clean Driver) - c:\windows\system32\drivers\avgarcln.sys
R1 PrevxTdi (PREVX Tdi filter) - c:\windows\system32\drivers\pxtdi.sys
R1 PXRDDriver (PREVX Rootkitscan driver) - c:\windows\system32\drivers\pxrd.sys
R2 IOPort - c:\windows\system32\ioport.sys
R2 MarxDev1 - c:\windows\system32\drivers\marxdev1.sys
R2 MarxDev2 - c:\windows\system32\drivers\marxdev2.sys
R2 MarxDev3 - c:\windows\system32\drivers\marxdev3.sys
R2 Nsynas32 - c:\windows\system32\drivers\nsynas32.sys
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys
R3 MMRTKRNL - c:\windows\system32\drivers\mmrtkrnl.sys
R3 Ps2 - c:\windows\system32\drivers\ps2.sys

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys
S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys
S3 PCDRSRVC (PCDRSRVC - PCDR Kernel Mode Service Helper Driver) - c:\windows\system32\drivers\pcdrsrvc.pkms
S3 Phonic_1394 - c:\windows\system32\drivers\phonic_1394.sys
S3 Phonic_avs - c:\windows\system32\drivers\phonic_avs.sys
S3 PrevxEmulator (PREVX Emulator Driver) - c:\windows\system32\drivers\pxemu.sys
S3 SynasUSB - c:\windows\system32\drivers\synasusb.sys
S3 USB11LDR (USB Midi 1x1 Loader) - c:\windows\system32\drivers\usb11ldr.sys
S3 USBMN1X1 (USB Midi 1x1) - c:\windows\system32\drivers\usbmn1x1.sys
S4 RxFilter - c:\windows\system32\drivers\rxfilter.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LiveUpdate Notice Service - "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifeng.dll"
R2 PREVXAgent (Prevx Agent) - "c:\program files\prevx1\pxagent.exe" -f

S2 Roxio Upnp Server 9 - "c:\program files\roxio\digital home 9\roxioupnpservice9.exe"
S2 RoxLiveShare9 (LiveShare P2P Server 9) - "c:\program files\common files\roxio shared\9.0\sharedcom\roxliveshare9.exe"
S2 RoxWatch9 (Roxio Hard Drive Watcher 9) - "c:\program files\common files\roxio shared\9.0\sharedcom\roxwatch9.exe"
S2 SBCSSvc (Sunbelt CounterSpy Antispyware) - "c:\program files\sunbelt software\counterspy\sbcssvc.exe"
S3 MHN - c:\windows\system32\svchost.exe -k netsvcs
S3 Roxio UPnP Renderer 9 - "c:\program files\roxio\digital home 9\roxioupnprenderer9.exe"
S3 RoxMediaDB9 - "c:\program files\common files\roxio shared\9.0\sharedcom\roxmediadb9.exe"


-- Scheduled Tasks -------------------------------------------------------------

2007-04-21 02:01:01 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>


-- Files created between 2007-03-21 and 2007-04-21 -----------------------------

2007-04-21 10:39:37 0 d-------- C:\ZonedOut
2007-04-21 10:29:51 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-04-21 10:26:08 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-04-20 22:44:58 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-20 22:44:54 0 d-------- C:\WINDOWS\LastGood
2007-04-20 10:20:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-04-10 17:33:14 1630208 --a------ C:\WINDOWS\system32\XERCES-C_2_3_0.DLL<XERCES~3.DLL>
2007-04-10 17:33:13 1568768 -ra------ C:\WINDOWS\system32\xerces-c_1_7_0.dll<XERCES~2.DLL>
2007-04-10 17:33:13 1273856 --a------ C:\WINDOWS\system32\xerces-c_1_5.dll<XERCES~1.DLL>
2007-04-10 17:33:13 581632 --a------ C:\WINDOWS\system32\STLPORT_VC745.DLL<STLPOR~1.DLL>
2007-04-10 17:33:13 1667072 --a------ C:\WINDOWS\system32\sdkqbimpl.dll<SDKQBI~1.DLL>
2007-04-10 17:33:13 3162175 --a------ C:\WINDOWS\system32\sdkdatabind.dll<SDKDAT~1.DLL>
2007-04-10 17:33:13 282624 --a------ C:\WINDOWS\system32\sdkcore.dll
2007-04-10 17:33:13 385100 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-04-10 17:33:12 2179072 --a------ C:\WINDOWS\system32\MFC71D.DLL
2007-04-10 17:33:11 147456 --a------ C:\WINDOWS\system32\qbxmlrp.dll
2007-04-10 17:33:11 2449408 -ra------ C:\WINDOWS\system32\qbfc2_1.dll
2007-04-09 11:56:39 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-04-09 11:56:39 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-04-09 11:36:27 15544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-04-09 11:34:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software<SUNBEL~1>
2007-04-09 11:34:25 0 d-------- C:\Program Files\Sunbelt Software<SUNBEL~1>
2007-03-31 18:27:34 12288 --a------ C:\Documents and Settings\HP_Administrator\spydb.dat
2007-03-30 09:37:55 0 d-------- C:\SpySoapBin<SPYSOA~1>
2007-03-30 09:37:49 0 d-------- C:\Program Files\SpySoap
2007-03-27 13:13:29 17784 --a------ C:\WINDOWS\system32\drivers\NSynas32.sys
2007-03-27 13:10:32 0 d-------- C:\Mac Installer<MACINS~1>
2007-03-27 13:10:32 0 d-------- C:\License
2007-03-27 13:08:34 0 d-------- C:\Hypersonic Content<HYPERS~2>
2007-03-27 13:08:25 0 d-------- C:\Hypersonic 2 Demosongs<HYPERS~1>
2007-03-27 13:08:23 0 d-------- C:\Crack - Lauch after install<CRACK-~1>
2007-03-27 13:08:23 0 d-------- C:\Copy Protection Driver<COPYPR~1>
2007-03-27 13:07:58 0 d-------- C:\Additional Content<ADDITI~1>
2007-03-27 13:03:58 0 d-------- C:\Installer Data<INSTAL~1>
2007-03-27 12:57:12 0 d-------- C:\Documentation<DOCUME~2>
2007-03-26 20:32:49 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll<REXSHA~1.DLL>
2007-03-26 19:55:56 98304 --a------ C:\WINDOWS\system32\WinFlyer32.dll<WINFLY~1.DLL>
2007-03-26 09:46:11 467 --a------ C:\WINDOWS\system32\Datei9
2007-03-26 09:46:11 467 --a------ C:\WINDOWS\system32\Datei8
2007-03-26 09:46:11 469 --a------ C:\WINDOWS\system32\Datei7
2007-03-26 09:46:11 465 --a------ C:\WINDOWS\system32\Datei6
2007-03-26 09:46:11 469 --a------ C:\WINDOWS\system32\Datei5
2007-03-26 09:46:11 471 --a------ C:\WINDOWS\system32\Datei4
2007-03-26 09:46:11 470 --a------ C:\WINDOWS\system32\Datei3
2007-03-26 09:46:11 471 --a------ C:\WINDOWS\system32\Datei2
2007-03-26 09:46:11 467 --a------ C:\WINDOWS\system32\Datei10
2007-03-26 09:46:11 470 --a------ C:\WINDOWS\system32\Datei1
2007-03-26 09:46:11 468 --a------ C:\WINDOWS\system32\Datei0
2007-03-26 09:38:43 16896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys
2007-03-26 09:38:19 45056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-03-26 09:38:17 147456 -----n--- C:\WINDOWS\system32\SynsoLChk.dll<SYNSOL~1.DLL>
2007-03-26 09:38:17 708608 -----n--- C:\WINDOWS\system32\SYNSOACC.dll
2007-03-25 20:40:29 33792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-03-24 08:36:46 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Prevx
2007-03-24 08:36:18 7680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2007-03-24 08:36:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-03-23 09:52:18 3968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-03-23 06:15:27 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Business Logic<BUSINE~1>
2007-03-23 05:56:48 0 d-------- C:\Program Files\blcorp
2007-03-23 05:01:49 123972 --a------ C:\WINDOWS\system32\ricbcxty.dll
2007-03-23 05:01:47 1227923 ---hs---- C:\WINDOWS\system32\ihhkj.bak2<IHHKJ~2.BAK>
2007-03-22 23:17:05 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-22 01:18:44 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-03-22 01:18:29 0 d-------- C:\Program Files\Common Files\PC Tools<PCTOOL~1>
2007-03-22 01:18:09 626688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-03-22 00:51:13 1197871 ---hs---- C:\WINDOWS\system32\ihhkj.bak1<IHHKJ~1.BAK>
2007-03-22 00:37:46 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-22 00:30:51 0 d-------- C:\Program Files\Enigma Software Group<ENIGMA~1>


-- Find3M Report ---------------------------------------------------------------

2007-04-21 00:02:25 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-04-20 23:56:26 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-04-20 23:47:19 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-04-20 23:42:38 0 d-------- C:\Program Files\iTunes
2007-04-20 23:26:47 0 d-------- C:\Program Files\Google
2007-04-20 23:22:40 0 d-a------ C:\Program Files\Common Files\LightScribe<LIGHTS~1>
2007-04-20 23:22:03 0 d-------- C:\Program Files\Citi Virtual Account Numbers<CITIVI~1>
2007-04-19 19:26:00 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2007-04-11 16:46:58 0 d-------- C:\Program Files\Quicken
2007-04-10 19:05:42 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-08 12:03:15 0 d-------- C:\Program Files\Java
2007-04-03 13:46:55 0 d-------- C:\Program Files\MediaFACE II<MEDIAF~1>
2007-03-27 13:13:57 0 d-------- C:\Program Files\Syncrosoft<SYNCRO~1>
2007-03-27 06:34:13 0 d-------- C:\Program Files\QuoteTracker<QUOTET~1>
2007-03-26 11:05:48 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Cakewalk
2007-03-23 06:54:34 0 d-------- C:\Program Files\PrintFile<PRINTF~1>
2007-03-22 19:27:11 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-03-22 19:27:10 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2007-03-22 19:13:42 0 d-------- C:\Program Files\Symantec
2007-03-20 22:21:18 400384 --a------ C:\WINDOWS\system32\SYNSOACC2.dll<SYNSOA~2.DLL>
2007-03-20 13:05:07 0 d-------- C:\Program Files\Steinberg<STEINB~1>
2007-03-19 1211 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Steinberg<STEINB~1>
2007-03-19 06:24:56 0 d-------- C:\Program Files\MagicISO
2007-03-18 19:17:16 0 d-------- C:\Program Files\Undisker
2007-03-17 09:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 09:57:40 27376 --a------ C:\WINDOWS\system32\SBBD.exe
2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 20:11:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Identities<IDENTI~1>
2007-03-07 20:09:13 0 d-------- C:\Program Files\Cakewalk
2007-03-06 20:44:33 0 d-------- C:\Program Files\Shareaza
2007-03-06 20:44:31 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Shareaza
2007-02-19 13:03:38 4 --ah----- C:\WINDOWS\uccspecb.sys
2007-02-05 16:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ProStoresStoreMonitor"="C:\\Program Files\\ProStores\\StoreMonitor\\StoreMonitor.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"EPSON Stylus C62 Series"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE\" /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"Microsoft Works Update Detection"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe\""
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\issch.exe\" -start"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"CitiVAN"="\"C:\\Program Files\\Citi Virtual Account Numbers\\CitiVAN.exe\" /dontopenmycards"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
@=""
"RoxWatchTray"="\"C:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatchTray9.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"H2O"="C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"WinFlyer32.dll"="\"rundll32.exe\" C:\\WINDOWS\\system32\\WinFlyer32.dll,Run"
"SBCSTray"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{4D7C8A39-430F-4091-B9BF-3173DFA06DA0}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42dd6c24-4122-11db-8ab2-806d6172696f}]
Shell\AutoRun\command E:\Setup\rsrc\Autorun.exe
Shell\dinstall\command E:\Directx\dxsetup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb7869ca-34d5-11db-ae95-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb7869cb-34d5-11db-ae95-806d6172696f}]
Shell\AutoRun\command C:\Autorun.exe


-- End of Deckard's System Scanner: finished at 2007-04-21 at 11:07:15 ---------
Attached Files
File Type: txt extra.txt (18.4 KB, 3 views)
JayPlayer is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-21-2007, 09:10 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Malware
Hello JayPlayer,

As explained in the thread dorts referred you to, we do not work with HijackThis Beta v 2.0 as it is still under development. We needed you to allow Deckard's System Scanner to download HijackThis version 1.99.1. Since it hasn't been downloaded, dss.exe ran a cloned version of HijackThis which is not a true working version--no fixes can be done with that version.

We'll begin the fix and we'll just have to take care of the remnant HJT entries in the next round.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Before we begin, please move dss.exe from C:\Temp\dss.exe to your desktop. While we’re cleaning your system, various tools used will clean the temp folder which, with dss.exe in it's current location, we'll lose the program.

--------------------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Disable the following programs as they will interfere with the fixes below. You may re-enable them when we're through cleaning the system.

Prevx:
  • Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose "Show Management Console".
  • On the Management Console click the Protection Level drop-down menu. You will see three levels:
    • Maximum
    • Off
    • User Defined

  • To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
  • Click the X on the upper right hand corner to exit the Management console.

Spywareguard:
  • Right click the running icon of Spywareguard in the system tray to open the program.
  • Then go to Menu, File, and choose Exit. It will automatically restart at next boot.
--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

WinFlyer

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

I'll need the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Uninstall the previous versions of Java via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) as they are no longer needed and continue to pose a security risk. Older versions have vulnerabilities that malware can use to infect your system.

J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_02

You do not need to reboot after each uninstall. Wait until you've removed the last in the list, then reboot.

**Leave J2SE Runtime Environment 5.0 Update 11 intact

--------------------------------------------------------------------

Please delete your current Beta version of HijackThis and download HijackThis 1.99.1. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
New HijackThis log
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-22-2007, 07:51 PM   #6 (permalink)
Registered User
 
JayPlayer's Avatar
 
Join Date: Apr 2007
Posts: 6
OS: XP


Re: Malware
The 2files as requested...

"HP_Administrator" - 07-04-22 21:35:11 Service Pack 2
ComboFix 07-04-22.4V - Running from: "C:\Documents and Settings\HP_Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ricbcxty.dll
C:\WINDOWS\system32\ytxcbcir.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-21 10:53 <DIR> d-------- C:\Deckard
2007-04-21 10:39 <DIR> d-------- C:\ZonedOut
2007-04-21 10:29 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-21 10:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-21 10:21 2,566,736 --a------ C:\Temp\spywareblastersetup351.exe
2007-04-21 10:21 2,062,665 --a------ C:\Temp\spywareguardsetup.exe
2007-04-20 22:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-20 22:37 859,856 --a------ C:\Temp\vx2cleaner_inst.exe
2007-04-20 10:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-10 17:33 581,632 --a------ C:\WINDOWS\system32\STLPORT_VC745.DLL
2007-04-10 17:33 385,100 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-04-10 17:33 3,162,175 --a------ C:\WINDOWS\system32\sdkdatabind.dll
2007-04-10 17:33 282,624 --a------ C:\WINDOWS\system32\sdkcore.dll
2007-04-10 17:33 2,449,408 -ra------ C:\WINDOWS\system32\qbfc2_1.dll
2007-04-10 17:33 2,179,072 --a------ C:\WINDOWS\system32\MFC71D.DLL
2007-04-10 17:33 147,456 --a------ C:\WINDOWS\system32\qbxmlrp.dll
2007-04-10 17:33 1,667,072 --a------ C:\WINDOWS\system32\sdkqbimpl.dll
2007-04-10 17:33 1,630,208 --a------ C:\WINDOWS\system32\XERCES-C_2_3_0.DLL
2007-04-10 17:33 1,568,768 -ra------ C:\WINDOWS\system32\xerces-c_1_7_0.dll
2007-04-10 17:33 1,273,856 --a------ C:\WINDOWS\system32\xerces-c_1_5.dll
2007-04-09 11:56 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-04-09 11:56 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-04-09 11:36 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-04-09 11:34 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-04-09 11:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-03-31 18:27 12,288 --a------ C:\DOCUME~1\HP_ADM~1\spydb.dat
2007-03-30 09:37 <DIR> d-------- C:\SpySoapBin
2007-03-30 09:37 <DIR> d-------- C:\Program Files\SpySoap
2007-03-28 16:16 <DIR> d-------- C:\Temp\VirusTest
2007-03-27 13:13 17,784 --a------ C:\WINDOWS\system32\drivers\NSynas32.sys
2007-03-27 13:10 <DIR> d-------- C:\Mac Installer
2007-03-27 13:10 <DIR> d-------- C:\License
2007-03-27 13:08 <DIR> d-------- C:\Hypersonic Content
2007-03-27 13:08 <DIR> d-------- C:\Hypersonic 2 Demosongs
2007-03-27 13:08 <DIR> d-------- C:\Crack - Lauch after install
2007-03-27 13:08 <DIR> d-------- C:\Copy Protection Driver
2007-03-27 13:07 <DIR> d-------- C:\Additional Content
2007-03-27 13:03 <DIR> d-------- C:\Installer Data
2007-03-27 12:57 <DIR> d-------- C:\Documentation
2007-03-26 20:32 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-03-26 09:38 708,608 --------- C:\WINDOWS\system32\SYNSOACC.dll
2007-03-26 09:38 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-03-26 09:38 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys
2007-03-26 09:38 147,456 --------- C:\WINDOWS\system32\SynsoLChk.dll
2007-03-25 20:40 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-03-25 20:18 <DIR> d-------- C:\Temp\Hype
2007-03-24 08:36 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2007-03-24 08:36 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Prevx
2007-03-24 08:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-03-23 09:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-03-23 06:15 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Business Logic
2007-03-23 05:56 <DIR> d-------- C:\Program Files\blcorp
2007-03-23 05:01 1,227,923 ---hs---- C:\WINDOWS\system32\ihhkj.bak2
2007-03-22 23:17 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-22 01:18 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-03-22 01:18 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-22 01:18 <DIR> d-