|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
01-01-2008, 06:52 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
HJT Log Check Please - Probable Trojan
The problem started yesterday. I received 20 messages in less than 30 minutes that "down.exe" was trying to access the internet. I blocked all of them, but since then, my computer is running terribly slow, and I can't access Task Manager anymore.
I've run everything -- AdAware, Spy Sweeper, Spy Bot, Norton (a huge mess), AVG, Registry Mechanic, etc. I've tried running things in safe mode -- nothing is working. AVG quarantined 3 major problems -- backdoor.pcclient.akr, worm.autorun.arq, and backdoor.hupigon.aazo. But it is getting progressively worse. In addition to the other problems, I'm now periodically unable to access Internet Explorer, and a few minutes ago, my screen went completely black for about 15 seconds.(!) There's 15-20 programs running as "...\windows\system32\svchost.exe." A run of tasklist /svc referred to names with "6 random letters," which I understand is not good -- but I don't want to delete them until I know for sure. I really, really don't want to do a full system restore, but I'm afraid that's where I'm headed. Thanks in advance, Allison (I'm sorry that I'm unable to attach the HJT file.) Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 7:08:48 PM, on 1/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\ALCMTR.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe C:\WINDOWS\system32\netdde.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\ups.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\vssvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchst.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\HP\KBD\KBD.EXE C:\Program Files\Corel\WordPerfect Family Pack 3\programs\wpwin9.exe C:\WINDOWS\system32\igfxtray.exe c:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hphmon06.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\Program Files\Hijack This v2\HiJackThis_v2.exe C:\WINDOWS\notepad.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 O4 - Startup: Lunabar Taskbar Icon.lnk = C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://71.42.205.126/home/SonySncRz30View.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://24.153.168.22/program/SonySncRz25View.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Microsoft Corp. (Network Operating Log (NOL)) - Unknown owner - C:\WINDOWS\uninstall.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORE.EXE O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing) -- End of file - 11274 bytes |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
01-02-2008, 03:56 PM
|
#2 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
Well, I really hope replying to my own thread doesn't kick me to the back of the line, but I wanted to get this updated info to you ASAP.
After my original post yesterday, AVG detected and quarantined a new problem -- backdoor.ceckno.cz. This virus(?) attempted to run at least 5 times under various forms of the filename "down.exe" -- the same file that started all of this two days ago. AVG also continues to detect and quarantine the backdoor.hubpigon.aazo issue every time I restart my computer. On the upside, my computer appears to be experiencing a brief period of lucidity this afternoon. I can actually type at a normal pace and the characters appear in (almost) real-time. In no way do I believe the problem is fixed -- likely just hibernating. I'll wait for the "all clear" from you first. I tried to complete the 5 steps, and encountered the following problems: 1. Panda Scan will start running, and then will quit without warning after scanning only about 150 files. I've tried to restart it several times with the same results. I don't know what the issue is here. 2. Windows Update detected an update for a validation tool only, but the installation failed. I'm on SP2 and I've been updating automatically, so I'm probably fully up-to-date anyway. I don't know why the installation failed (my Windows is valid, btw). No problems installing Spyware Blaster or IE-Spyad/ZonedOut. The DSS main.txt file follows below, and the extra.txt is attached. (I can attach files again - yea!). Thank you, Allison Deckard's System Scanner v20071014.68 Run by Allison T. Hamilton on 2008-01-02 16:14:10 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 2 Restore Point(s) -- 2: 2008-01-02 22:14:24 UTC - RP847 - Deckard's System Scanner Restore Point 1: 2008-01-02 17:49:56 UTC - RP846 - System Checkpoint Backed up registry hives. Performed disk cleanup. Percentage of Memory in Use: 77% (more than 75%). Total Physical Memory: 504 MiB (512 MiB recommended). -- HijackThis (run as Allison T. Hamilton.exe) --------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-02 16:20:22 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\ALCMTR.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ups.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\vssvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\svchost.exe C:\hp\KBD\KBD.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\svchst.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system\hpsysdrv.exe C:\WINDOWS\system32\hphmon06.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\WINDOWS\TEMP\2504.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\3316.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\Allison T. Hamilton\Desktop\dss.exe C:\Program Files\Trend Micro\HijackThis\Allison T. Hamilton.exe C:\WINDOWS\system32\svchost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O3 - Toolbar: (no name) - - (no file) O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKLM\..\Run: [GoogleUpdate] C:\Program Files\Internet Explorer\3316.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 O4 - Startup: Lunabar Taskbar Icon.lnk = C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://71.42.205.126/home/SonySncRz30View.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://24.153.168.22/program/SonySncRz25View.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Microsoft Corp. (Network Operating Log (NOL)) - Unknown owner - C:\WINDOWS\uninstall.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORER.EXE O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe -- End of file - 12379 bytes -- HijackThis Fixed Entries (C:\Program Files\Hijack This v2\backups\) --------- backup-20080101-181946-695 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 backup-20080101-181946-786 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 backup-20080101-181946-967 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20080101-181947-160 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20080101-190711-205 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 backup-20080101-190711-288 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 backup-20080101-190711-343 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20080101-190711-825 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20080101-190711-930 O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORE.EXE -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S2 Network Operating Log (NOL) (Microsoft Corp.) - c:\windows\uninstall.exe S2 WinDefend (Windows Defender) - "c:\program files\windows defender\msmpeng.exe" (file missing) S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA -- Scheduled Tasks ------------------------------------------------------------- 2008-01-02 02:14:00 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job 2007-12-29 15:42:03 436 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job 2007-12-28 13:40:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2007-12-25 03:00:04 1586 --a------ C:\WINDOWS\Tasks\wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C.job -- Files created between 2007-12-02 and 2008-01-02 ----------------------------- 2008-01-02 16:17:13 0 d-------- C:\Program Files\Trend Micro 2008-01-02 11:23:53 8576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys <Not Verified; Panda Software International; RKPavProc Driver> 2008-01-02 08:43:28 196608 --a------ C:\WINDOWS\system32\Down(7).exe 2008-01-02 08:42:46 196608 --a------ C:\WINDOWS\system32\Down(5).exe 2008-01-02 07:39:43 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-01-02 07:38:53 0 d-------- C:\WINDOWS\LastGood 2008-01-02 07:09:20 196608 --a------ C:\WINDOWS\system32\IEXPLORER.EXE 2008-01-02 07:09:05 196608 --a------ C:\WINDOWS\system32\Down(3).exe 2008-01-02 07:09:00 196608 --a------ C:\WINDOWS\system32\Down(2).exe 2008-01-01 17:34:13 0 d-------- C:\Program Files\Hijack This v2 2008-01-01 13:54:22 0 d-------- C:\bintheredunthat 2008-01-01 11:45:00 0 d-------- C:\BFU 2008-01-01 11:40:20 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Grisoft 2008-01-01 11:39:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 11:37:17 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner> 2008-01-01 11:28:49 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Uniblue 2008-01-01 11:28:32 0 d-------- C:\Program Files\Uniblue 2008-01-01 10:03:22 57036 --a------ C:\WINDOWS\system32\Down(25).exe 2008-01-01 09:21:14 61678 --a------ C:\WINDOWS\system32\Down(24).exe 2008-01-01 09:14:01 61678 --a------ C:\WINDOWS\system32\Down(23).exe 2008-01-01 09:13:51 61678 --a------ C:\WINDOWS\system32\Down(22).exe 2008-01-01 09:12:20 61678 --a------ C:\WINDOWS\system32\Down(21).exe 2008-01-01 06:42:33 114 --a------ C:\WINDOWS\61642520.BAT 2008-01-01 06:42:05 452096 -----n--- C:\WINDOWS\uninstall.exe 2008-01-01 04:52:40 0 dr------- C:\Documents and Settings\LocalService\Favorites 2008-01-01 02:34:07 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-01-01 00:41:15 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Leadertech 2007-12-31 18:18:20 196608 --a------ C:\WINDOWS\system32\IEXPLORE.EXE 2007-12-31 17:24:39 196608 --a------ C:\WINDOWS\system32\Down(19).exe 2007-12-31 17:17:37 196608 --a------ C:\WINDOWS\system32\Down(16).exe 2007-12-31 17:11:55 196608 --a------ C:\WINDOWS\system32\Down(14).exe 2007-12-31 17:11:20 196608 --a------ C:\WINDOWS\system32\Down(13).exe 2007-12-31 17:04:12 196608 --a------ C:\WINDOWS\system32\Down(11).exe 2007-12-31 17:02:43 196608 --a------ C:\WINDOWS\system32\Down(10).exe 2007-12-31 16:57:44 196608 --a------ C:\WINDOWS\system32\Down(8).exe 2007-12-31 16:47:34 196608 --a------ C:\WINDOWS\system32\Down(6).exe 2007-12-31 16:44:06 196608 --a------ C:\WINDOWS\system32\Down(4).exe 2007-12-31 16:13:29 57036 --a------ C:\WINDOWS\system32\Down(1).exe 2007-12-31 16:12:03 196608 --a------ C:\WINDOWS\system32\Down(0).exe 2007-12-30 18:46:43 178688 --a------ C:\WINDOWS\system32\svchst.exe 2007-12-27 15:36:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe -- Find3M Report --------------------------------------------------------------- 2008-01-02 15:21:38 0 d-------- C:\Program Files\iTunes 2008-01-02 15:21:26 0 d-------- C:\Program Files\Messenger 2008-01-02 15:20:53 0 d-a------ C:\Program Files\Common Files\LightScribe 2008-01-02 14:47:44 0 d-------- C:\Program Files\Anti-Spyware Programs 2008-01-01 21:29:34 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-01-01 15:59:11 0 d-------- C:\Program Files\Norton Security Scan 2008-01-01 10:42:03 0 d-------- C:\Program Files\Google 2008-01-01 02:09:55 0 d-------- C:\Program Files\Common Files 2008-01-01 00:45:34 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Move Networks 2007-12-31 12:31:30 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Adobe 2007-12-31 11:53:23 0 d-------- C:\Program Files\Common Files\Adobe 2007-12-27 15:41:41 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\AdobeUM 2007-12-21 01:05:15 8291840 --a------ C:\Program Files\OURFAM6-07.FBK 2007-12-21 01:05:14 8291840 --a------ C:\Program Files\OURFAM6-07.FTW 2007-12-20 22  29 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Smilebox2007-11-27 12:18:20 0 d-------- C:\Program Files\iPod 2007-11-27 12:15:19 0 d-------- C:\Program Files\QuickTime -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 05:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 04:31 AM] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/25/2005 04:34 PM] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 07:54 AM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/26/2005 10:29 AM] "AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 04:06 AM C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [10/25/2004 08:17 AM] "SoundMan"="SOUNDMAN.EXE" [04/06/2005 12:57 PM C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [04/06/2005 12:53 PM C:\WINDOWS\ALCWZRD.EXE] "Alcmtr"="ALCMTR.EXE" [04/11/2005 07:10 PM C:\WINDOWS\ALCMTR.EXE] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [06/27/2002 02:47 AM] "StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [02/27/2004 11:29 AM] "TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [05/20/2004 10:40 AM] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [04/07/2004 11:07 AM] "AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [10/18/2004 03:42 PM] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [08/24/2004 02:09 PM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2007 11:43 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/2007 04:40 PM] "GoogleUpdate"="C:\Program Files\Internet Explorer\3316.EXE" [01/02/2008 11:38 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] C:\Documents and Settings\Allison T. Hamilton\Start Menu\Programs\Startup\ Lunabar Taskbar Icon.lnk - C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe [9/17/2005 1:19:27 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [10/13/2005 11:15:00 AM] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 8:28:24 PM] SpySubtract.lnk - C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe [5/26/2005 10:41:09 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AgentSvr.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AppSvc32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\auto.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSvcHst.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FileDsty.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FTCleanerShell.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\isPwdSvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KaScrScn.SCR] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSetup.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVStart.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KISLnchr.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMailMon.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMFilter.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFWSvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRepair.COM] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KsLoader.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvfwMcl.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP_1.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvReport.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVStub.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch9x.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchX.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QHSET.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegClean.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RfwMain.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safelive.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\shcfg32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ShuiNiu.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sos.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\svch0st.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\symlcsvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SysSafe.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Systom.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UFO.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAgent.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAttachment.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxCfg.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxFwHlp.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxPol.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.EXE] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XP.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] snhuqt snhuqt kwngxi kwngxi rjlwfd rjlwfd kqyuie kqyuie adypmj adypmj qttdea qttdea qugctf qugctf jjuwsw jjuwsw vllxpl vllxpl gvpjqq gvpjqq pfqnpe pfqnpe mkzozb mkzozb fdnbqt fdnbqt zxupiq zxupiq eepgbe eepgbe tmitqi tmitqi jwvbpe jwvbpe lmkynb lmkynb qtftpc qtftpc roawiy roawiy entndh entndh uevvbm uevvbm pdenwv pdenwv lvpsgh lvpsgh hoqwid hoqwid kzkbae kzkbae xydeoh xydeoh zhexpu zhexpu [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] explore\command- test.exe open\Command- test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] explore\command- test.exe open\Command- test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{357b0fac-0b75-11da-b560-806d6172696f}] explore\command- test.exe open\Command- test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{357b0fad-0b75-11da-b560-806d6172696f}] explore\command- test.exe open\Command- test.exe *Newly Created Service* - HOQWID *Newly Created Service* - KZKBAE *Newly Created Service* - LVPSGH *Newly Created Service* - PDENWV *Newly Created Service* - RKPAVPROC *Newly Created Service* - XYDEOH *Newly Created Service* - ZHEXPU -- End of Deckard's System Scanner: finished at 2008-01-02 16:27:29 ------------ |
|
|
|
|
01-05-2008, 11:45 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
More bumping... and a little begging...
 I'm sorry to be so impatient -- it's obvious you guys are very busy -- but this is the computer I use for work and it has confidential information on it. So if it's in the process of being hijacked, I must get it fixed ASAP. Allison |
|
|
|
|
01-05-2008, 11:56 AM
|
#5 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
Hi Allison -
Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. Personally, if this was my machine, I'd back up any valued data (docs and pics, not applications) format and start over. We can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused. Let me know. You don't appear to have an AntiVirus application currently installed. Is this the case?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-05-2008, 12:19 PM
|
#6 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
Hi tetonbob:
Thank you so much for your reply!  Yes, I was previously running Norton. After the problem started, I decided to upgrade to Norton 360, but it wouldn't load correctly, even after uninstalling my earlier version. I'm running AVG now, and that's what has identified all of these backdoor.* issues. Here's my question about doing a system restore: the files I need to backup are Word Perfect documents, Outlook Express e-mails, photos, and mp3 files. There's also a few PDF and MS Word files. What is the likelihood that any of these files will bring the infection with them? Second question: can you tell what the infection is, and where it might have come from? Finally, to the extent possible, I want to try to clean up this computer before doing a system restore. My reasoning is that it's going to take some time to backup my data (and/or to print everything out if it can't be safely backed up), and I'd like to try to get my machine working at a more normal speed before I attempt such a task. Do you need a new HJT log before we start? Thank you again, Allison |
|
|
|
|
01-05-2008, 12:40 PM
|
#7 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
You're using the term "system restore". This is not the same as formatting the machine and starting over, and any infected files may well be left on the machine if you use Windows XP System Restore.
If you're referring to using the manufacturer's recovery partition or CD, that's different. I see AVG AntiSpyware, but no AntiVirus. These are not the same type of applications. Have you added AVG AntiVirus since your first post? Quote:
Post a new log from Deckard's System Scanner.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
01-05-2008, 01:25 PM
|
#8 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
Ok, I'm feeling like an idiot...
I didn't realize you were talking about re-formatting the machine. (And that makes more sense, of course, since my last system restore point was after the infection.....) I did have Norton Antivirus up until a few days ago, but I had to uninstall it... I mistakenly thought I was now covered with AVG. And in retrospect, I totally agree that there's not much point in trying to clean up the computer if I'm going to have to re-format anyway... it would be a waste of time. What do you think, though, about whether my backed-up files will still contain the infection? Is it safe to reload them onto the reformatted machine? (No software, just files.) Below are the DSS scan results (no extra.txt file was generated). Will you be able to instruct me on the reformatting process? Thanks! Allison Deckard's System Scanner v20071014.68 Run by Allison T. Hamilton on 2008-01-05 13:58:42 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 504 MiB (512 MiB recommended). -- HijackThis (run as Allison T. Hamilton.exe) --------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-05 14:02:17 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\ALCMTR.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ups.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\vssvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\svchost.exe C:\hp\KBD\KBD.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\svchst.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system\hpsysdrv.exe C:\WINDOWS\system32\hphmon06.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\WINDOWS\TEMP\2504.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\3316.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Real\RealPlayer\realplay.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\Allison T. Hamilton\Desktop\dss.exe C:\Program Files\Trend Micro\HijackThis\Allison T. Hamilton.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O3 - Toolbar: (no name) - - (no file) O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKLM\..\Run: [GoogleUpdate] C:\Program Files\Internet Explorer\3316.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 O4 - Startup: Lunabar Taskbar Icon.lnk = C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://71.42.205.126/home/SonySncRz30View.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://24.153.168.22/program/SonySncRz25View.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Microsoft Corp. (Network Operating Log (NOL)) - Unknown owner - C:\WINDOWS\uninstall.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORER.EXE O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe -- End of file - 12745 bytes -- Files created between 2007-12-05 and 2008-01-05 ----------------------------- 2008-01-02 16:17:13 0 d-------- C:\Program Files\Trend Micro 2008-01-02 11:23:53 8576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys <Not Verified; Panda Software International; RKPavProc Driver> 2008-01-02 08:43:28 196608 --a------ C:\WINDOWS\system32\Down(7).exe 2008-01-02 08:42:46 196608 --a------ C:\WINDOWS\system32\Down(5).exe 2008-01-02 07:39:43 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-01-02 07:38:53 0 d-------- C:\WINDOWS\LastGood 2008-01-02 07:09:20 196608 --a------ C:\WINDOWS\system32\IEXPLORER.EXE 2008-01-02 07:09:05 196608 --a------ C:\WINDOWS\system32\Down(3).exe 2008-01-02 07:09:00 196608 --a------ C:\WINDOWS\system32\Down(2).exe 2008-01-01 17:34:13 0 d-------- C:\Program Files\Hijack This v2 2008-01-01 13:54:22 0 d-------- C:\bintheredunthat 2008-01-01 11:45:00 0 d-------- C:\BFU 2008-01-01 11:40:20 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Grisoft 2008-01-01 11:39:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 11:37:17 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner> 2008-01-01 11:28:49 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Uniblue 2008-01-01 11:28:32 0 d-------- C:\Program Files\Uniblue 2008-01-01 10:03:22 57036 --a------ C:\WINDOWS\system32\Down(25).exe 2008-01-01 09:21:14 61678 --a------ C:\WINDOWS\system32\Down(24).exe 2008-01-01 09:14:01 61678 --a------ C:\WINDOWS\system32\Down(23).exe 2008-01-01 09:13:51 61678 --a------ C:\WINDOWS\system32\Down(22).exe 2008-01-01 09:12:20 61678 --a------ C:\WINDOWS\system32\Down(21).exe 2008-01-01 06:42:33 114 --a------ C:\WINDOWS\61642520.BAT 2008-01-01 06:42:05 452096 -----n--- C:\WINDOWS\uninstall.exe 2008-01-01 04:52:40 0 dr------- C:\Documents and Settings\LocalService\Favorites 2008-01-01 02:34:07 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-01-01 00:41:15 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Leadertech 2007-12-31 18:18:20 196608 --a------ C:\WINDOWS\system32\IEXPLORE.EXE 2007-12-31 17:24:39 196608 --a------ C:\WINDOWS\system32\Down(19).exe 2007-12-31 17:17:37 196608 --a------ C:\WINDOWS\system32\Down(16).exe 2007-12-31 17:11:55 196608 --a------ C:\WINDOWS\system32\Down(14).exe 2007-12-31 17:11:20 196608 --a------ C:\WINDOWS\system32\Down(13).exe 2007-12-31 17:04:12 196608 --a------ C:\WINDOWS\system32\Down(11).exe 2007-12-31 17:02:43 196608 --a------ C:\WINDOWS\system32\Down(10).exe 2007-12-31 16:57:44 196608 --a------ C:\WINDOWS\system32\Down(8).exe 2007-12-31 16:47:34 196608 --a------ C:\WINDOWS\system32\Down(6).exe 2007-12-31 16:44:06 196608 --a------ C:\WINDOWS\system32\Down(4).exe 2007-12-31 16:13:29 57036 --a------ C:\WINDOWS\system32\Down(1).exe 2007-12-31 16:12:03 196608 --a------ C:\WINDOWS\system32\Down(0).exe 2007-12-30 18:46:43 178688 --a------ C:\WINDOWS\system32\svchst.exe 2007-12-27 15:36:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe -- Find3M Report --------------------------------------------------------------- 2008-01-04 15:00:11 0 d-------- C:\Program Files\Norton Security Scan 2008-01-02 15:21:38 0 d-------- C:\Program Files\iTunes 2008-01-02 15:21:26 0 d-------- C:\Program Files\Messenger 2008-01-02 15:20:53 0 d-a------ C:\Program Files\Common Files\LightScribe 2008-01-02 14:47:44 0 d-------- C:\Program Files\Anti-Spyware Programs 2008-01-01 21:29:34 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-01-01 10:42:03 0 d-------- C:\Program Files\Google 2008-01-01 02:09:55 0 d-------- C:\Program Files\Common Files 2008-01-01 00:45:34 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Move Networks 2007-12-31 12:31:30 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Adobe 2007-12-31 11:53:23 0 d-------- C:\Program Files\Common Files\Adobe 2007-12-27 15:41:41 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\AdobeUM 2007-12-21 01:05:15 8291840 --a------ C:\Program Files\OURFAM6-07.FBK 2007-12-21 01:05:14 8291840 --a------ C:\Program Files\OURFAM6-07.FTW 2007-12-20 22 29 0 d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Smilebox2007-11-27 12:18:20 0 d-------- C:\Program Files\iPod 2007-11-27 12:15:19 0 d-------- C:\Program Files\QuickTime -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 05:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 04:31 AM] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/25/2005 04:34 PM] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 07:54 AM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/26/2005 10:29 AM] "AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 04:06 AM C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [10/25/2004 08:17 AM] "SoundMan"="SOUNDMAN.EXE" [04/06/2005 12:57 PM C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [04/06/2005 12:53 PM C:\WINDOWS\ALCWZRD.EXE] "Alcmtr"="ALCMTR.EXE" [04/11/2005 07:10 PM C:\WINDOWS\ALCMTR.EXE] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [06/27/2002 02:47 AM] "StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [02/27/2004 11:29 AM] "TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [05/20/2004 10:40 AM] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [04/07/2004 11:07 AM] "AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [10/18/2004 03:42 PM] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [08/24/2004 02:09 PM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2007 11:43 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/2007 04:40 PM] "GoogleUpdate"="C:\Program Files\Internet Explorer\3316.EXE" [01/02/2008 11:38 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] C:\Documents and Settings\Allison T. Hamilton\Start Menu\Programs\Startup\ Lunabar Taskbar Icon.lnk - C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe [9/17/2005 1:19:27 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [10/13/2005 11:15:00 AM] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 8:28:24 PM] SpySubtract.lnk - C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe [5/26/2005 10:41:09 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AgentSvr.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AppSvc32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\auto.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSvcHst.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FileDsty.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FTCleanerShell.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\isPwdSvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KaScrScn.SCR] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSetup.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVStart.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KISLnchr.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMailMon.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMFilter.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFWSvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRepair.COM] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KsLoader.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvfwMcl.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP_1.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvReport.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVStub.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch9x.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchX.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QHSET.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegClean.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RfwMain.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safelive.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\shcfg32.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ShuiNiu.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sos.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\svch0st.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\symlcsvc.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SysSafe.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Systom.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UFO.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAgent.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAttachment.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxCfg.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxFwHlp.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxPol.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.EXE] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XP.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] snhuqt snhuqt kwngxi kwngxi rjlwfd rjlwfd kqyuie kqyuie adypmj adypmj qttdea qttdea qugctf qugctf jjuwsw jjuwsw vllxpl vllxpl gvpjqq gvpjqq pfqnpe pfqnpe mkzozb mkzozb fdnbqt fdnbqt zxupiq zxupiq eepgbe eepgbe tmitqi tmitqi jwvbpe jwvbpe lmkynb lmkynb qtftpc qtftpc roawiy roawiy entndh entndh uevvbm uevvbm pdenwv pdenwv lvpsgh lvpsgh hoqwid hoqwid kzkbae kzkbae xydeoh xydeoh zhexpu zhexpu ierkvb ierkvb pzncyv pzncyv tjjqkf tjjqkf wtddcg wtddcg gqubyi gqubyi ndqmjk ndqmjk xapjfe xapjfe dgaogh dgaogh [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] explore\command- test.exe open\Command- test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] explore\command- test.exe open\Command- test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{357b0fac-0b75-11da-b560-806d6172696f}] explore\command- test.exe open\Command- test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{357b0fad-0b75-11da-b560-806d6172696f}] explore\command- test.exe open\Command- test.exe *Newly Created Service* - DGAOGH *Newly Created Service* - GQUBYI *Newly Created Service* - HOQWID *Newly Created Service* - IERKVB *Newly Created Service* - KZKBAE *Newly Created Service* - LVPSGH *Newly Created Service* - NDQMJK *Newly Created Service* - PDENWV *Newly Created Service* - PZNCYV *Newly Created Service* - RKPAVPROC *Newly Created Service* - TJJQKF *Newly Created Service* - WTDDCG *Newly Created Service* - XAPJFE *Newly Created Service* - XYDEOH *Newly Created Service* - ZHEXPU -- End of Deckard's System Scanner: finished at 2008-01-05 14:10:52 ------------ |
|
|
|
|
01-05-2008, 01:35 PM
|
#9 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
docs and pics, other types of data files (not exe or scr files) should be fine to backup and restore. MP3s I'd be a bit wary of, if they came from the internet.
If you're willing to try, we can give it a shot at cleaning, after you save your most valued data. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-05-2008, 09:47 PM
|
#10 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
Hi tetonbob:
I'm backing up my files now. It's going really, really slow though (only 105MB copied in the past hour  ).... I'm going to leave it overnight and check back in the morning.Once it's done backing up, I'll complete the steps you outlined. My MP3 files were all downloaded from iTunes, so I hope they'll be ok. So assuming we have to reformat, I won't be left with anything on my computer, and will have to start from scratch with my XP Upgrade disk, correct? Thank you again, and I'll give you a status update in the morning. Allison Last edited by ATHamilton; 01-05-2008 at 09:49 PM. |
|
|
|
|
01-05-2008, 10:00 PM
|
#11 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
Quote:
I hope we won't have to.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
01-06-2008, 11:27 AM
|
#12 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
I backed up all my files, and ran ComboFix as instructed. The ComboFix report and the new HijackThis report appear below.
The good news is that, after running ComboFix, I can now access Task Manager again! The not-so-good news is that after ComboFix restarted my computer the first time, 1) my computer's performance was worse than ever; 2) my CPU was maxed out at 100% the entire time; and 3) IE was not able to load pages (I was connected to the internet, and IE would load, but no pages would appear -- it just kept saying "connecting"). Believing that the problem with IE was a lack of available memory, I rebooted the computer, and on restart I disabled SpySweeper (which seemed to be causing the memory problem). I can now load pages (obviously). Task manager shows frequent jumps to 100%, but not constant. My ability to type and have the characters appear in "real time" is improving, but not as it should be. On reboot, I again was asked to quarantine. the backdoor.hupigon.* issue.... And, I now have an IE shortcut on my desktop that wasn't there before.  What's next?  Thanks! Allison ComboFix 08-01-06.4 - Allison T. Hamilton 2008-01-06 3:18:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.139 [GMT -6:00] Running from: C:\Documents and Settings\Allison T. Hamilton\desktop\combofix.exe Command switches used :: /killall * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\WINDOWS\system32\Cache C:\WINDOWS\system32\cfx32.ocx C:\windows\system32\iexplore.exe C:\WINDOWS\system32\iexplorer.exe C:\WINDOWS\Temp\2424.exe C:\WINDOWS\Temp\2604.exe C:\WINDOWS\Temp\2636.exe C:\WINDOWS\Temp\2920.exe C:\WINDOWS\Temp\296.exe C:\WINDOWS\Temp\3688.exe C:\WINDOWS\Temp\372.exe C:\WINDOWS\Temp\4564.exe C:\WINDOWS\Temp\5212.exe C:\WINDOWS\Temp\5292.exe C:\WINDOWS\Temp\5324.exe D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\nm ((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))) . 2008-01-06 03:47 . 2008-01-06 03:47 76 --a------ C:\WINDOWS\system32\xapjfe.DRV 2008-01-06 03:47 . 2008-01-06 03:47 76 --a------ C:\WINDOWS\system32\ndqmjk.DRV 2008-01-06 03:47 . 2008-01-06 03:47 76 --a------ C:\WINDOWS\system32\gqubyi.DRV 2008-01-06 03:47 . 2008-01-06 03:47 76 --a------ C:\WINDOWS\system32\dgaogh.DRV 2008-01-06 03:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Program Files\Seagate 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate 2008-01-05 20:37 . 2008-01-05 20:37 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-01-04 11:58 . 2008-01-06 03:47 34,443 --a------ C:\WINDOWS\system32\wtddcg.DRV 2008-01-04 11:58 . 2008-01-06 03:47 34,333 --a------ C:\WINDOWS\system32\tjjqkf.DRV 2008-01-02 16:38 . 2008-01-06 03:47 63,806 --a------ C:\WINDOWS\system32\pzncyv.DRV 2008-01-02 16:38 . 2008-01-06 03:47 63,636 --a------ C:\WINDOWS\system32\ierkvb.DRV 2008-01-02 16:38 . 2008-01-06 03:47 63,606 --a------ C:\WINDOWS\system32\zhexpu.DRV 2008-01-02 16:17 . 2008-01-02 16:17 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-02 16:13 . 2008-01-02 16:13 <DIR> d-------- C:\Deckard 2008-01-02 15:21 . 2008-01-02 15:21 499,712 --a------ C:\WINDOWS\system32\302.tmp 2008-01-02 14:42 . 2008-01-06 03:47 65,485 --a------ C:\WINDOWS\system32\xydeoh.DRV 2008-01-02 14:42 . 2008-01-06 03:47 65,247 --a------ C:\WINDOWS\system32\kzkbae.DRV 2008-01-02 14:42 . 2008-01-06 03:47 65,154 --a------ C:\WINDOWS\system32\hoqwid.DRV 2008-01-02 14:42 . 2008-01-06 03:47 65,072 --a------ C:\WINDOWS\system32\lvpsgh.DRV 2008-01-02 14:42 . 2008-01-06 03:12 64,796 --a------ C:\WINDOWS\system32\pdenwv.DRV 2008-01-02 11:23 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys 2008-01-02 08:42 . 2008-01-02 08:42 196,608 --a------ C:\WINDOWS\system32\Down(5).exe 2008-01-02 07:43 . 2008-01-02 15:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-02 07:42 . 2008-01-02 15:15 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-02 07:40 . 2008-01-02 15:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-02 07:39 . 2008-01-02 15:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-01 17:34 . 2008-01-01 19:19 <DIR> d-------- C:\Program Files\Hijack This v2 2008-01-01 13:54 . 2008-01-01 14:54 <DIR> d-------- C:\bintheredunthat 2008-01-01 11:40 . 2008-01-01 11:40 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Grisoft 2008-01-01 11:39 . 2008-01-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 11:39 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-01 11:37 . 2008-01-01 11:37 50,688 --a------ C:\ATF-Cleaner.exe 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Program Files\Uniblue 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Uniblue 2008-01-01 10:54 . 2008-01-06 03:47 161,481 --a------ C:\WINDOWS\system32\uevvbm.DRV 2008-01-01 10:03 . 2008-01-01 10:03 57,036 --a------ C:\WINDOWS\system32\Down(25).exe 2008-01-01 09:21 . 2008-01-01 09:21 61,678 --a------ C:\WINDOWS\system32\Down(24).exe 2008-01-01 09:14 . 2008-01-01 09:14 61,678 --a------ C:\WINDOWS\system32\Down(23).exe 2008-01-01 09:13 . 2008-01-01 09:13 61,678 --a------ C:\WINDOWS\system32\Down(22).exe 2008-01-01 09:12 . 2008-01-01 09:12 61,678 --a------ C:\WINDOWS\system32\Down(21).exe 2008-01-01 09:00 . 2008-01-01 09:00 1 --a------ C:\WINDOWS\system32\0004c49d.inf 2008-01-01 09:00 . 2008-01-01 09:00 1 --a------ C:\WINDOWS\system32\0004774f.inf 2008-01-01 06:42 . 2008-01-01 06:42 452,096 --------- C:\WINDOWS\uninstall.exe 2008-01-01 06:42 . 2008-01-01 06:42 114 --a------ C:\WINDOWS\61642520.BAT 2008-01-01 02:34 . 2008-01-01 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-01-01 01:32 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2008-01-01 01:32 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2008-01-01 00:41 . 2008-01-01 00:41 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Leadertech 2007-12-31 17:24 . 2007-12-31 17:24 196,608 --a------ C:\WINDOWS\system32\Down(19).exe 2007-12-31 17:17 . 2007-12-31 17:17 196,608 --a------ C:\WINDOWS\system32\Down(16).exe 2007-12-31 17:11 . 2007-12-31 17:11 196,608 --a------ C:\WINDOWS\system32\Down(14).exe 2007-12-31 17:11 . 2007-12-31 17:11 196,608 --a------ C:\WINDOWS\system32\Down(13).exe 2007-12-31 17:04 . 2007-12-31 17:04 196,608 --a------ C:\WINDOWS\system32\Down(11).exe 2007-12-31 17:02 . 2007-12-31 17:02 196,608 --a------ C:\WINDOWS\system32\Down(10).exe 2007-12-31 16:57 . 2007-12-31 16:57 196,608 --a------ C:\WINDOWS\system32\Down(8).exe 2007-12-31 16:47 . 2007-12-31 16:47 196,608 --a------ C:\WINDOWS\system32\Down(6).exe 2007-12-31 16:44 . 2007-12-31 16:44 196,608 --a------ C:\WINDOWS\system32\Down(4).exe 2007-12-31 16:13 . 2007-12-31 16:13 57,036 --a------ C:\WINDOWS\system32\Down(1).exe 2007-12-31 16:12 . 2007-12-31 16:12 196,608 --a------ C:\WINDOWS\system32\Down(0).exe 2007-12-30 18:47 . 2008-01-01 05:00 145 --a------ C:\WINDOWS\system32\a.jpg 2007-12-30 18:46 . 2007-10-10 17:56 1,159,680 --a------ C:\WINDOWS\system32\Flower.dll 2007-12-30 18:46 . 2007-12-30 18:46 178,688 --a------ C:\WINDOWS\system32\svchst.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 08:02 2,208 ---h-tr C:\Program Files\Backup Log 2008-01-06 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-04 21:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-01-02 21:21 --------- d-----w C:\Program Files\iTunes 2008-01-02 21:20 --------- d---a-w C:\Program Files\Common Files\LightScribe 2008-01-02 20:47 --------- d-----w C:\Program Files\Anti-Spyware Programs 2008-01-02 03:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-01 16:42 --------- d-----w C:\Program Files\Google 2008-01-01 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-01 06:45 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Move Networks 2007-12-31 17:53 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-27 21:41 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\AdobeUM 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FTW 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FBK 2007-12-21 04:06 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Smilebox 2007-11-27 18:18 --------- d-----w C:\Program Files\iPod 2007-11-27 18:15 --------- d-----w C:\Program Files\QuickTime 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-06-26 02:48 1,415,925 ----a-w C:\Program Files\OURFAM6-07.FBC 2006-08-01 03:44 136 ----a-w C:\Documents and Settings\Allison T. Hamilton\Application Data\wklnhst.dat 2006-05-26 05:00 732,873 ----a-w C:\Program Files\FSP4.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 04:31 126976] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 16:34 245760] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 07:54 253952] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 10:29 180269] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 04:06 88363 C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17 90112] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 12:57 90112 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 12:53 2805248 C:\WINDOWS\ALCWZRD.EXE] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-27 02:47 36864] "StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 11:29 61440] "TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:40 188416] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 11:07 496752] "AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 15:42 79448] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-24 14:09 99480] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608] "GoogleUpdate"="C:\Program Files\Internet Explorer\3316.EXE" [2008-01-02 11:38 176128] "basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 16:21 169328] C:\Documents and Settings\Allison T. Hamilton\Start Menu\Programs\Startup\ Lunabar Taskbar Icon.lnk - C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe [2005-09-17 01:19:27] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-10-13 11:15:00] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24] SpySubtract.lnk - C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe [2005-05-26 10:41:09] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\auto.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ShuiNiu.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sos.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\svch0st.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Systom.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UFO.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XP.exe] Debugger=C:\WINDOWS\system32\Flower.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe] Debugger=C:\WINDOWS\system32\Flower.exe R2 adypmj;adypmj;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21] R2 dgaogh;dgaogh;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 eepgbe;eepgbe;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 fdnbqt;fdnbqt;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 gqubyi;gqubyi;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 gvpjqq;gvpjqq;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 hoqwid;hoqwid;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 ierkvb;ierkvb;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 jjuwsw;jjuwsw;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 jwvbpe;jwvbpe;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 kwngxi;kwngxi;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 kzkbae;kzkbae;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 lmkynb;lmkynb;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 lvpsgh;lvpsgh;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 mkzozb;mkzozb;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 ndqmjk;ndqmjk;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 pfqnpe;pfqnpe;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 pzncyv;pzncyv;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 qtftpc;qtftpc;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 qttdea;qttdea;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 qugctf;qugctf;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 rjlwfd;rjlwfd;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00] R2 tjjqkf;tjjqkf;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 tmitqi;tmitqi;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 uevvbm;uevvbm;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 vllxpl;vllxpl;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 wtddcg;wtddcg;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 xapjfe;xapjfe;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 xydeoh;xydeoh;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 zhexpu;zhexpu;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 zxupiq;zxupiq;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] S2 Network Operating Log (NOL);Microsoft Corp.;C:\WINDOWS\uninstall.exe [2008-01-01 06:42] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] snhuqt REG_MULTI_SZ snhuqt kwngxi REG_MULTI_SZ kwngxi rjlwfd REG_MULTI_SZ rjlwfd kqyuie REG_MULTI_SZ kqyuie adypmj REG_MULTI_SZ adypmj qttdea REG_MULTI_SZ qttdea qugctf REG_MULTI_SZ qugctf jjuwsw REG_MULTI_SZ jjuwsw vllxpl REG_MULTI_SZ vllxpl gvpjqq REG_MULTI_SZ gvpjqq pfqnpe REG_MULTI_SZ pfqnpe mkzozb REG_MULTI_SZ mkzozb fdnbqt REG_MULTI_SZ fdnbqt zxupiq REG_MULTI_SZ zxupiq eepgbe REG_MULTI_SZ eepgbe tmitqi REG_MULTI_SZ tmitqi jwvbpe REG_MULTI_SZ jwvbpe lmkynb REG_MULTI_SZ lmkynb qtftpc REG_MULTI_SZ qtftpc roawiy REG_MULTI_SZ roawiy entndh REG_MULTI_SZ entndh uevvbm REG_MULTI_SZ uevvbm pdenwv REG_MULTI_SZ pdenwv lvpsgh REG_MULTI_SZ lvpsgh hoqwid REG_MULTI_SZ hoqwid kzkbae REG_MULTI_SZ kzkbae xydeoh REG_MULTI_SZ xydeoh zhexpu REG_MULTI_SZ zhexpu ierkvb REG_MULTI_SZ ierkvb pzncyv REG_MULTI_SZ pzncyv tjjqkf REG_MULTI_SZ tjjqkf wtddcg REG_MULTI_SZ wtddcg gqubyi REG_MULTI_SZ gqubyi ndqmjk REG_MULTI_SZ ndqmjk xapjfe REG_MULTI_SZ xapjfe dgaogh REG_MULTI_SZ dgaogh [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] \shell\explore\command - test.exe \shell\open\Command - test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \shell\explore\command - test.exe \shell\open\Command - test.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc52e90e-b976-11dc-91ff-00038a000015}] \Shell\AutoRun\command - F:\Launch.exe /run . Contents of the 'Scheduled Tasks' folder "2008-01-04 19:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-06 08:14:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-01-04 21:01:13 C:\WINDOWS\Tasks\Norton Security Scan.job" - C:\Program Files\Norton Security Scan\Nss.exe "2007-12-25 09:00:04 C:\WINDOWS\Tasks\wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - C:\ . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 03:48:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... ? [2000] scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> c:\windows\system32\zxupiq.dll -> c:\windows\system32\zhexpu.dll -> c:\windows\system32\xydeoh.dll -> c:\windows\system32\xapjfe.dll -> c:\windows\system32\wtddcg.dll -> c:\windows\system32\vllxpl.dll -> c:\windows\system32\uevvbm.dll -> c:\windows\system32\tmitqi.dll -> c:\windows\system32\tjjqkf.dll -> c:\windows\system32\rjlwfd.dll -> c:\windows\system32\qugctf.dll -> c:\windows\system32\qttdea.dll -> c:\windows\system32\pzncyv.dll -> c:\windows\system32\qtftpc.dll -> c:\windows\system32\pfqnpe.dll -> c:\windows\system32\ndqmjk.dll -> c:\windows\system32\mkzozb.dll -> c:\windows\system32\lvpsgh.dll -> c:\windows\system32\kzkbae.dll -> c:\windows\system32\lmkynb.dll -> c:\windows\system32\kwngxi.dll -> c:\windows\system32\jwvbpe.dll -> c:\windows\system32\jjuwsw.dll -> c:\windows\system32\ierkvb.dll -> c:\windows\system32\hoqwid.dll -> c:\windows\system32\gqubyi.dll -> c:\windows\system32\gvpjqq.dll -> c:\windows\system32\dgaogh.dll -> c:\windows\system32\fdnbqt.dll -> c:\windows\system32\eepgbe.dll -> c:\windows\system32\adypmj.dll . Completion time: 2008-01-06 4:04:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-06 10:00:19 . 2008-01-01 01:16:50 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:22:18 AM, on 1/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\vssvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Internet Explorer\3316.EXE C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe C:\Program Files\iPod\bin\iPodService.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\ALCMTR.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\systemupdate20071106.exe C:\Program Files\Internet Explorer\realplayerupdate20071205.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [GoogleUpdate] "C:\Program Files\Internet Explorer\3316.EXE" O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 O4 - Startup: Lunabar Taskbar Icon.lnk = C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://71.42.205.126/home/SonySncRz30View.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://24.153.168.22/program/SonySncRz25View.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Microsoft Corp. (Network Operating Log (NOL)) - Unknown owner - C:\WINDOWS\uninstall.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORER.EXE (file missing) O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing) -- End of file - 11929 bytes |
|
|
|
|
01-06-2008, 12:46 PM
|
#13 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
Well, it's pretty obvious this machine is pretty well infested, so the performance issues are not unexpected. Let's see if we can improve that, and then try to get an AntiVirus application installed afterward.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Disable SpySweeper and Windows Defender. Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
01-06-2008, 03:37 PM
|
#14 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
Done. The report has been sent to bleepingcomputer.com. The c:\combofix.txt file appears below.
Do you need a new HijackThis report? Good news is that the typing issue is tremendously improved -- characters now appear in real time. Task manager still shows very high CPU usage, but it's not constantly maxed out. Task manager also shows 64 process running (instead of 90+ earlier today), but there are still about 10 of those "svchost.exe" processes running. Thanks! Allison ComboFix 08-01-06.4 - Allison T. Hamilton 2008-01-06 16:00:07.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT -6:00] Running from: C:\Documents and Settings\Allison T. Hamilton\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Allison T. Hamilton\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\a.jpg C:\WINDOWS\system32\Down(0).exe C:\WINDOWS\system32\Down(10).exe C:\WINDOWS\system32\Down(11).exe C:\WINDOWS\system32\Down(13).exe C:\WINDOWS\system32\Down(14).exe C:\WINDOWS\system32\Down(16).exe C:\WINDOWS\system32\Down(21).exe C:\WINDOWS\system32\Down(22).exe C:\WINDOWS\system32\Down(23).exe C:\WINDOWS\system32\Down(4).exe C:\WINDOWS\system32\Down(6).exe C:\WINDOWS\system32\Down(8).exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Internet Explorer\realplayerupdate20071205.exe C:\Program Files\Internet Explorer\systemupdate20071106.exe C:\WINDOWS\61642520.BAT C:\WINDOWS\system32\0004774f.inf C:\WINDOWS\system32\0004c49d.inf C:\WINDOWS\system32\302.tmp C:\WINDOWS\system32\a.jpg c:\windows\system32\adypmj.dll c:\windows\system32\dgaogh.dll C:\WINDOWS\system32\dgaogh.DRV C:\WINDOWS\system32\Down(0).exe C:\WINDOWS\system32\Down(1).exe C:\WINDOWS\system32\Down(10).exe C:\WINDOWS\system32\Down(11).exe C:\WINDOWS\system32\Down(13).exe C:\WINDOWS\system32\Down(14).exe C:\WINDOWS\system32\Down(16).exe C:\WINDOWS\system32\Down(19).exe C:\WINDOWS\system32\Down(21).exe C:\WINDOWS\system32\Down(22).exe C:\WINDOWS\system32\Down(23).exe C:\WINDOWS\system32\Down(24).exe C:\WINDOWS\system32\Down(25).exe C:\WINDOWS\system32\Down(4).exe C:\WINDOWS\system32\Down(5).exe C:\WINDOWS\system32\Down(6).exe C:\WINDOWS\system32\Down(8).exe c:\windows\system32\eepgbe.dll c:\windows\system32\fdnbqt.dll C:\WINDOWS\system32\Flower.dll c:\windows\system32\gqubyi.dll C:\WINDOWS\system32\gqubyi.DRV c:\windows\system32\gvpjqq.dll c:\windows\system32\hoqwid.dll C:\WINDOWS\system32\hoqwid.DRV c:\windows\system32\ierkvb.dll C:\WINDOWS\system32\ierkvb.DRV c:\windows\system32\jjuwsw.dll c:\windows\system32\jwvbpe.dll c:\windows\system32\kwngxi.dll c:\windows\system32\kzkbae.dll C:\WINDOWS\system32\kzkbae.DRV c:\windows\system32\lmkynb.dll c:\windows\system32\lvpsgh.dll C:\WINDOWS\system32\lvpsgh.DRV c:\windows\system32\mkzozb.dll c:\windows\system32\ndqmjk.dll C:\WINDOWS\system32\ndqmjk.DRV C:\WINDOWS\system32\pdenwv.DRV c:\windows\system32\pfqnpe.dll c:\windows\system32\pzncyv.dll C:\WINDOWS\system32\pzncyv.DRV c:\windows\system32\qtftpc.dll c:\windows\system32\qttdea.dll c:\windows\system32\qugctf.dll c:\windows\system32\rjlwfd.dll C:\WINDOWS\system32\svchst.exe c:\windows\system32\tjjqkf.dll C:\WINDOWS\system32\tjjqkf.DRV c:\windows\system32\tmitqi.dll c:\windows\system32\uevvbm.dll C:\WINDOWS\system32\uevvbm.DRV c:\windows\system32\vllxpl.dll c:\windows\system32\wtddcg.dll C:\WINDOWS\system32\wtddcg.DRV c:\windows\system32\xapjfe.dll C:\WINDOWS\system32\xapjfe.DRV c:\windows\system32\xydeoh.dll C:\WINDOWS\system32\xydeoh.DRV c:\windows\system32\zhexpu.dll C:\WINDOWS\system32\zhexpu.DRV c:\windows\system32\zxupiq.dll C:\WINDOWS\uninstall.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_ADYPMJ -------\LEGACY_DGAOGH -------\LEGACY_EEPGBE -------\LEGACY_FDNBQT -------\LEGACY_GQUBYI -------\LEGACY_GVPJQQ -------\LEGACY_HOQWID -------\LEGACY_IERKVB -------\LEGACY_JWVBPE -------\LEGACY_KWNGXI -------\LEGACY_KZKBAE -------\LEGACY_LMKYNB -------\LEGACY_LVPSGH -------\LEGACY_MKZOZB -------\LEGACY_NDQMJK -------\LEGACY_NETWORK_OPERATING_LOG_(NOL) -------\LEGACY_PFQNPE -------\LEGACY_PZNCYV -------\LEGACY_QTFTPC -------\LEGACY_QTTDEA -------\LEGACY_QUGCTF -------\LEGACY_TJJQKF -------\LEGACY_TMITQI -------\LEGACY_UEVVBM -------\LEGACY_VLLXPL -------\LEGACY_WTDDCG -------\LEGACY_XAPJFE -------\LEGACY_XYDEOH -------\LEGACY_ZHEXPU -------\LEGACY_ZXUPIQ -------\adypmj -------\dgaogh -------\eepgbe -------\fdnbqt -------\gqubyi -------\gvpjqq -------\hoqwid -------\ierkvb -------\jwvbpe -------\kwngxi -------\kzkbae -------\lmkynb -------\lvpsgh -------\mkzozb -------\ndqmjk -------\Network Operating Log (NOL) -------\pfqnpe -------\pzncyv -------\qtftpc -------\qttdea -------\qugctf -------\tjjqkf -------\tmitqi -------\uevvbm -------\vllxpl -------\wtddcg -------\xapjfe -------\xydeoh -------\zhexpu -------\zxupiq ((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))) . 2008-01-06 13:25 . 2008-01-06 13:25 1 --a------ C:\WINDOWS\system32\00054c3c.inf 2008-01-06 03:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Program Files\Seagate 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate 2008-01-05 20:37 . 2008-01-05 20:37 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-01-02 16:17 . 2008-01-02 16:17 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-02 16:13 . 2008-01-02 16:13 <DIR> d-------- C:\Deckard 2008-01-02 11:23 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys 2008-01-02 07:43 . 2008-01-02 15:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-02 07:42 . 2008-01-02 15:15 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-02 07:40 . 2008-01-02 15:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-02 07:39 . 2008-01-02 15:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-01 17:34 . 2008-01-01 19:19 <DIR> d-------- C:\Program Files\Hijack This v2 2008-01-01 13:54 . 2008-01-01 14:54 <DIR> d-------- C:\bintheredunthat 2008-01-01 11:40 . 2008-01-01 11:40 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Grisoft 2008-01-01 11:39 . 2008-01-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 11:39 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-01 11:37 . 2008-01-01 11:37 50,688 --a------ C:\ATF-Cleaner.exe 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Program Files\Uniblue 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Uniblue 2008-01-01 02:34 . 2008-01-01 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-01-01 01:32 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2008-01-01 01:32 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2008-01-01 00:41 . 2008-01-01 00:41 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Leadertech . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 08:02 2,208 ---h-tr C:\Program Files\Backup Log 2008-01-06 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-04 21:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-01-02 21:21 --------- d-----w C:\Program Files\iTunes 2008-01-02 21:20 --------- d---a-w C:\Program Files\Common Files\LightScribe 2008-01-02 20:47 --------- d-----w C:\Program Files\Anti-Spyware Programs 2008-01-02 03:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-01 16:42 --------- d-----w C:\Program Files\Google 2008-01-01 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-01 06:45 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Move Networks 2007-12-31 17:53 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-27 21:41 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\AdobeUM 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FTW 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FBK 2007-12-21 04:06 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Smilebox 2007-11-27 18:18 --------- d-----w C:\Program Files\iPod 2007-11-27 18:15 --------- d-----w C:\Program Files\QuickTime 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-06-26 02:48 1,415,925 ----a-w C:\Program Files\OURFAM6-07.FBC 2006-08-01 03:44 136 ----a-w C:\Documents and Settings\Allison T. Hamilton\Application Data\wklnhst.dat 2006-05-26 05:00 732,873 ----a-w C:\Program Files\FSP4.zip . ((((((((((((((((((((((((((((( snapshot@2008-01-06_ 3.52.31.31 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-04 12:00:00 84,304 ----a-w C:\WINDOWS\system32\cgjcvx.dll - 2008-01-06 09:38:00 202,845 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-01-06 22:19:34 202,850 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2004-08-04 12:00:00 84,304 ----a-w C:\WINDOWS\system32\nrlvge.dll + 2004-08-04 12:00:00 84,304 ----a-w C:\WINDOWS\system32\ppayjz.dll + 2004-08-04 12:00:00 92,740 ----a-w C:\WINDOWS\system32\sdbevr.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 04:31 126976] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 16:34 245760] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 07:54 253952] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 10:29 180269] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 04:06 88363 C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17 90112] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 12:57 90112 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 12:53 2805248 C:\WINDOWS\ALCWZRD.EXE] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-27 02:47 36864] "StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 11:29 61440] "TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:40 188416] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 11:07 496752] "AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 15:42 79448] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-24 14:09 99480] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 16:21 169328] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608] C:\Documents and Settings\Allison T. Hamilton\Start Menu\Programs\Startup\ Lunabar Taskbar Icon.lnk - C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe [2005-09-17 01:19:27] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-10-13 11:15:00] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24] SpySubtract.lnk - C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe [2005-05-26 10:41:09] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21] R2 cgjcvx;cgjcvx;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 NATServices;NATServicesware;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 nrlvge;nrlvge;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 ppayjz;ppayjz;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] NATServices REG_MULTI_SZ NATServices cgjcvx REG_MULTI_SZ cgjcvx ppayjz REG_MULTI_SZ ppayjz nrlvge REG_MULTI_SZ nrlvge [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc52e90e-b976-11dc-91ff-00038a000015}] \Shell\AutoRun\command - F:\Launch.exe /run . Contents of the 'Scheduled Tasks' folder "2008-01-04 19:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-06 08:14:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-01-04 21:01:13 C:\WINDOWS\Tasks\Norton Security Scan.job" - C:\Program Files\Norton Security Scan\Nss.exe "2007-12-25 09:00:04 C:\WINDOWS\Tasks\wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - C:\ . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 16:19:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> c:\windows\system32\cgjcvx.dll -> c:\windows\system32\nrlvge.dll -> c:\windows\system32\ppayjz.dll -> c:\windows\system32\sdbevr.dll PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> c:\windows\system32\ppayjz.dll -> c:\windows\system32\nrlvge.dll -> c:\windows\system32\cgjcvx.dll -> c:\windows\system32\sdbevr.dll . Completion time: 2008-01-06 16:26:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-06 22:25:46 ComboFix2.txt 2008-01-06 10:04:23 . 2008-01-01 01:16:50 --- E O F --- |
|
|
|
|
01-06-2008, 03:57 PM
|
#15 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
Stay close to the computer for a while. I want to hit this quickly.
Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 01-06-2008 at 04:14 PM. |
|
|
|
|
|
01-06-2008, 05:16 PM
|
#16 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
Done. The new c:\combofix.txt appears below.
Allison ComboFix 08-01-06.4 - Allison T. Hamilton 2008-01-06 17:57:08.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.124 [GMT -6:00] Running from: C:\Documents and Settings\Allison T. Hamilton\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Allison T. Hamilton\Desktop\CFScript.txt * Created a new restore point FILE C:\Program Files\Internet Explorer\3316.EXE C:\WINDOWS\system32\cgjcvx.dll C:\WINDOWS\system32\nrlvge.dll C:\WINDOWS\system32\ppayjz.dll C:\WINDOWS\system32\sdbevr.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Internet Explorer\3316.EXE C:\WINDOWS\system32\cgjcvx.dll C:\WINDOWS\system32\nrlvge.dll C:\WINDOWS\system32\ppayjz.dll C:\WINDOWS\system32\sdbevr.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CGJCVX -------\LEGACY_NATSERVICES -------\LEGACY_NRLVGE -------\LEGACY_PPAYJZ -------\cgjcvx -------\NATServices -------\nrlvge -------\ppayjz ((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))) . 2008-01-06 16:30 . 2008-01-06 17:54 1,166 --a------ C:\WINDOWS\system32\sdbevr.KEY 2008-01-06 16:30 . 2008-01-06 17:54 1,126 --a------ C:\WINDOWS\system32\ppayjz.DRV 2008-01-06 16:30 . 2008-01-06 17:54 1,111 --a------ C:\WINDOWS\system32\nrlvge.DRV 2008-01-06 16:30 . 2008-01-06 17:54 1,095 --a------ C:\WINDOWS\system32\cgjcvx.DRV 2008-01-06 13:25 . 2008-01-06 13:25 1 --a------ C:\WINDOWS\system32\00054c3c.inf 2008-01-06 03:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Program Files\Seagate 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate 2008-01-05 20:37 . 2008-01-05 20:37 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-01-02 16:17 . 2008-01-02 16:17 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-02 16:13 . 2008-01-02 16:13 <DIR> d-------- C:\Deckard 2008-01-02 11:23 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys 2008-01-02 07:43 . 2008-01-02 15:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-02 07:42 . 2008-01-02 15:15 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-02 07:40 . 2008-01-02 15:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-02 07:39 . 2008-01-02 15:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-01 17:34 . 2008-01-01 19:19 <DIR> d-------- C:\Program Files\Hijack This v2 2008-01-01 13:54 . 2008-01-01 14:54 <DIR> d-------- C:\bintheredunthat 2008-01-01 11:40 . 2008-01-01 11:40 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Grisoft 2008-01-01 11:39 . 2008-01-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 11:39 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-01 11:37 . 2008-01-01 11:37 50,688 --a------ C:\ATF-Cleaner.exe 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Program Files\Uniblue 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Uniblue 2008-01-01 02:34 . 2008-01-01 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-01-01 01:32 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2008-01-01 01:32 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2008-01-01 00:41 . 2008-01-01 00:41 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Leadertech . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 08:02 2,208 ---h-tr C:\Program Files\Backup Log 2008-01-06 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-04 21:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-01-02 21:21 --------- d-----w C:\Program Files\iTunes 2008-01-02 21:20 --------- d---a-w C:\Program Files\Common Files\LightScribe 2008-01-02 20:47 --------- d-----w C:\Program Files\Anti-Spyware Programs 2008-01-02 03:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-01 16:42 --------- d-----w C:\Program Files\Google 2008-01-01 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-01 06:45 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Move Networks 2007-12-31 17:53 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-27 21:41 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\AdobeUM 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FTW 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FBK 2007-12-21 04:06 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Smilebox 2007-11-27 18:18 --------- d-----w C:\Program Files\iPod 2007-11-27 18:15 --------- d-----w C:\Program Files\QuickTime 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-06-26 02:48 1,415,925 ----a-w C:\Program Files\OURFAM6-07.FBC 2006-08-01 03:44 136 ----a-w C:\Documents and Settings\Allison T. Hamilton\Application Data\wklnhst.dat 2006-05-26 05:00 732,873 ----a-w C:\Program Files\FSP4.zip . ((((((((((((((((((((((((((((( snapshot_2008-01-06_16.23.24.64 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-06 22:19:34 202,850 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-01-07 00:08:05 202,844 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 04:31 126976] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 16:34 245760] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 07:54 253952] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 10:29 180269] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 04:06 88363 C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17 90112] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 12:57 90112 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 12:53 2805248 C:\WINDOWS\ALCWZRD.EXE] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-27 02:47 36864] "StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 11:29 61440] "TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:40 188416] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 11:07 496752] "AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 15:42 79448] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-24 14:09 99480] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 16:21 169328] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608] C:\Documents and Settings\Allison T. Hamilton\Start Menu\Programs\Startup\ Lunabar Taskbar Icon.lnk - C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe [2005-09-17 01:19:27] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-10-13 11:15:00] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24] SpySubtract.lnk - C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe [2005-05-26 10:41:09] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21] R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc52e90e-b976-11dc-91ff-00038a000015}] \Shell\AutoRun\command - F:\Launch.exe /run . Contents of the 'Scheduled Tasks' folder "2008-01-04 19:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-06 08:14:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-01-04 21:01:13 C:\WINDOWS\Tasks\Norton Security Scan.job" - C:\Program Files\Norton Security Scan\Nss.exe "2007-12-25 09:00:04 C:\WINDOWS\Tasks\wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - C:\ . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 18:08:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-06 18:13:03 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-07 00:12:44 ComboFix2.txt 2008-01-06 22:26:02 ComboFix3.txt 2008-01-06 10:04:23 . 2008-01-01 01:16:50 --- E O F --- |
|
|
|
|
01-06-2008, 05:41 PM
|
#17 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
It looks like we're making progress....
Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Download and install Kaspersky free trial from here: http://www.kaspersky.com/anti-virus_trial
Once the installation and update procedure is complete, and the machine is back in normal mode after restarts.... Open Kaspersky by using the system tray icon (right click on it):
--------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
01-06-2008, 06:05 PM
|
#18 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
That's the best news I've had all week!
The new c:\combofix.txt log appears below. I'm going to download Kaspersky now. Allison ComboFix 08-01-06.4 - Allison T. Hamilton 2008-01-06 18:49:05.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.118 [GMT -6:00] Running from: C:\Documents and Settings\Allison T. Hamilton\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Allison T. Hamilton\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\00054c3c.inf C:\WINDOWS\system32\cgjcvx.DRV C:\WINDOWS\system32\nrlvge.DRV C:\WINDOWS\system32\ppayjz.DRV C:\WINDOWS\system32\sdbevr.KEY . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\00054c3c.inf C:\WINDOWS\system32\cgjcvx.DRV C:\WINDOWS\system32\nrlvge.DRV C:\WINDOWS\system32\ppayjz.DRV C:\WINDOWS\system32\sdbevr.KEY . ((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))) . 2008-01-06 03:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Program Files\Seagate 2008-01-05 20:39 . 2008-01-05 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate 2008-01-05 20:37 . 2008-01-05 20:37 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-01-02 16:17 . 2008-01-02 16:17 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-02 16:13 . 2008-01-02 16:13 <DIR> d-------- C:\Deckard 2008-01-02 11:23 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys 2008-01-02 07:43 . 2008-01-02 15:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-02 07:42 . 2008-01-02 15:15 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-02 07:40 . 2008-01-02 15:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-02 07:39 . 2008-01-02 15:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-01 17:34 . 2008-01-01 19:19 <DIR> d-------- C:\Program Files\Hijack This v2 2008-01-01 13:54 . 2008-01-01 14:54 <DIR> d-------- C:\bintheredunthat 2008-01-01 11:40 . 2008-01-01 11:40 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Grisoft 2008-01-01 11:39 . 2008-01-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 11:39 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-01 11:37 . 2008-01-01 11:37 50,688 --a------ C:\ATF-Cleaner.exe 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Program Files\Uniblue 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Uniblue 2008-01-01 02:34 . 2008-01-01 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-01-01 01:32 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2008-01-01 01:32 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2008-01-01 00:41 . 2008-01-01 00:41 <DIR> d-------- C:\Documents and Settings\Allison T. Hamilton\Application Data\Leadertech . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 08:02 2,208 ---h-tr C:\Program Files\Backup Log 2008-01-06 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-04 21:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-01-02 21:21 --------- d-----w C:\Program Files\iTunes 2008-01-02 21:20 --------- d---a-w C:\Program Files\Common Files\LightScribe 2008-01-02 20:47 --------- d-----w C:\Program Files\Anti-Spyware Programs 2008-01-02 03:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-01 16:42 --------- d-----w C:\Program Files\Google 2008-01-01 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-01 06:45 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Move Networks 2007-12-31 17:53 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-27 21:41 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\AdobeUM 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FTW 2007-12-21 07:05 8,291,840 ----a-w C:\Program Files\OURFAM6-07.FBK 2007-12-21 04:06 --------- d-----w C:\Documents and Settings\Allison T. Hamilton\Application Data\Smilebox 2007-11-27 18:18 --------- d-----w C:\Program Files\iPod 2007-11-27 18:15 --------- d-----w C:\Program Files\QuickTime 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-06-26 02:48 1,415,925 ----a-w C:\Program Files\OURFAM6-07.FBC 2006-08-01 03:44 136 ----a-w C:\Documents and Settings\Allison T. Hamilton\Application Data\wklnhst.dat 2006-05-26 05:00 732,873 ----a-w C:\Program Files\FSP4.zip . ((((((((((((((((((((((((((((( snapshot_2008-01-06_16.23.24.64 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-06 22:19:34 202,850 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-01-07 00:08:05 202,844 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 04:31 126976] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 16:34 245760] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 07:54 253952] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 10:29 180269] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 04:06 88363 C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17 90112] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 12:57 90112 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 12:53 2805248 C:\WINDOWS\ALCWZRD.EXE] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-27 02:47 36864] "StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 11:29 61440] "TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:40 188416] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 11:07 496752] "AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 15:42 79448] "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-24 14:09 99480] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 16:21 169328] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608] C:\Documents and Settings\Allison T. Hamilton\Start Menu\Programs\Startup\ Lunabar Taskbar Icon.lnk - C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe [2005-09-17 01:19:27] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-10-13 11:15:00] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24] SpySubtract.lnk - C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe [2005-05-26 10:41:09] R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21] R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc52e90e-b976-11dc-91ff-00038a000015}] \Shell\AutoRun\command - F:\Launch.exe /run . Contents of the 'Scheduled Tasks' folder "2008-01-04 19:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-06 08:14:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-01-04 21:01:13 C:\WINDOWS\Tasks\Norton Security Scan.job" - C:\Program Files\Norton Security Scan\Nss.exe "2007-12-25 09:00:04 C:\WINDOWS\Tasks\wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_F24E096F408A4C1ABFA4579680949F2C - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - C:\ . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 18:55:50 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-06 18:57:43 ComboFix-quarantined-files.txt 2008-01-07 00:57:29 ComboFix2.txt 2008-01-07 00:13:04 ComboFix3.txt 2008-01-06 22:26:02 ComboFix4.txt 2008-01-06 10:04:23 . 2008-01-01 01:16:50 --- E O F --- |
|
|
|
|
01-06-2008, 09:41 PM
|
#19 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 22
OS: XP sv.pk.2
|
Re: HJT Log Check Please - Probable Trojan
Kaspersky is finished. It neutralized 12 threats, mostly related to heur.invader.* and trojan.win32.vb.*. My computer appears to be performing normally again.
The new HJT log is below. Thanks! Allison Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:33:57 PM, on 1/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\vssvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCMTR.EXE C:\WINDOWS\system32\igfxtray.exe c:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hphmon06.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 O4 - Startup: Lunabar Taskbar Icon.lnk = C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\Anti-Spyware Programs\InterMute\SpySubtract\sslaunch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://71.42.205.126/home/SonySncRz30View.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://24.153.168.22/program/SonySncRz25View.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORER.EXE (file missing) O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing) -- End of file - 10975 bytes |
|
|
|
|
01-06-2008, 09:59 PM
|
#20 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,757
OS: 2000 Pro; XP Pro; XP Home
|
Re: HJT Log Check Please - Probable Trojan
HI Allison -
That's looking pretty good. Go to Start > Run and copy/paste the following, then press Enter: sc stop seclogon Go to Start > Run and copy/paste the following, then press Enter: sc delete seclogon Reboot your machine. Based on the level of infection, let's have you also run this online scan. One vendor's definitions may find what another's does not. Go here to run an online scannner from ESET.
Also....run a new scan with Deckard's System Scanner, and post that log also.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
Re: HJT Log Check Please - Probable Trojan
72-hour bump
-> Run -> paste in the following single line command & click OK
