Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Blue "Spyware detected on your computer!" desktop
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-11-2008, 10:14 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Blue "Spyware detected on your computer!" desktop
After letting a friend surf the net on my computer, I came back to a desktop that is blue and reads:

Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.

I am unable to place a new image as my desktop (nor can I get into the 'canned' Windows options by right-clicking on the desktop and going to Properties). Also, my Task Manager access is being blocked.

After doing some digging online, I realized this was actually a problem in and of itself.

I've run CCleaner, SpyHunter, and a few other programs, but nothing seems to take care of it. I then stumbled on your site. Per your suggestions, I've done the following:

1. I've left one anti-virus software (AVG) running and removed anything from the Control Panel that matched your list (only found Viewpoint Media Player).

2. I tried to perform an online scan with Panda ActiveScan, but their website was having issues after the registration step. I skipped that step and went to the next one.

3. I installed Spyware Blaster and IE-Spyad per your directions.

4. I updated my OS. I was already at SP2, so I stayed there. There were no critical updates, so I didn't go any further with anything on this step.

5. I downloaded Hijack This and ran a scan. Here are the results of the scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:16 AM, on 2008.08.12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sluhmjoh.exe
C:\Documents and Settings\All Users\Application Data\qhmxoxkh\abobebcv.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphcehuj0egjl] C:\WINDOWS\system32\lphcehuj0egjl.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [chksysweb] C:\WINDOWS\system32\sluhmjoh.exe
O4 - HKLM\..\Policies\Explorer\Run: [8f8bKU5Flz] C:\Documents and Settings\All Users\Application Data\qhmxoxkh\abobebcv.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WD Anywhere Backup Launcher.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17742E0F-5D65-4606-867D-A3FCF9F4A77E} (SWActiveX Control) - http://www.3dcontentcentral.com/dlls...UploadTool.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tactronics.com
O17 - HKLM\Software\..\Telephony: DomainName = tactronics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tactronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tactronics.com
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O21 - SSODL: DscSrvMsg - {39BFB61D-3495-72C9-B720-02D053C532C7} - C:\Program Files\khmkzlf\DscSrvMsg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2008 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 13305 bytes


Any help any of you can lend would be much appreciated.
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-16-2008, 02:43 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,196
OS: 2000 Pro; XP Pro; XP Home


Re: Blue "Spyware detected on your computer!" desktop
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

------------------------------------------------------------------------------------------

Please also go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------------------------------------------

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\Program Files\khmkzlf\DscSrvMsg.dll

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

------------------------------------------------------------------------------------------

If you have any questions along the way, STOP and ask them before proceeding.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2008, 06:33 PM   #3 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
Thank you for the response. I am out of ink on my printer, so I will get to this in a day or two.
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2008, 06:35 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,196
OS: 2000 Pro; XP Pro; XP Home


Re: Blue "Spyware detected on your computer!" desktop
For printing instructions?

You can also copy the instructions to Word, Wordpad or notepad, save on desktop for easy review.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-19-2008, 08:57 AM   #5 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
Sorry - work's been jamming me up. I'm getting on this today.
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 06:08 AM   #6 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
===========
COMBOFIX LOG
===========

ComboFix 08-08-18.05 - ddelaiarro 2008-08-20 7:56:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2319 [GMT -4:00]
Running from: C:\Documents and Settings\ddelaiarro\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ddelaiarro\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ddelaiarro\Application Data\macromedia\Flash Player\#SharedObjects\GBDMWEX3\interclick.com
C:\Documents and Settings\ddelaiarro\Application Data\macromedia\Flash Player\#SharedObjects\GBDMWEX3\interclick.com\ud.sol
C:\Documents and Settings\ddelaiarro\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\ddelaiarro\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
C:\WINDOWS\system32\actskn43.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBroker
-------\Service_ASBroker


((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-14 12:01 . 2008-08-14 12:01 276 --a------ C:\WINDOWS\system32\MRT.INI
2008-08-13 17:05 . 2008-08-14 12:02 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-13 14:53 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 11:23 . 2008-08-13 11:23 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-13 11:23 . 2008-08-13 11:23 <DIR> d-------- C:\Program Files\Common Files\Kaspersky Lab
2008-08-13 11:23 . 2008-08-13 11:23 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-08-12 20:28 . 2008-08-12 20:37 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-12 19:00 . 2008-08-12 19:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 19:00 . 2008-08-12 19:00 <DIR> d-------- C:\Documents and Settings\ddelaiarro\Application Data\Malwarebytes
2008-08-12 19:00 . 2008-08-12 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 19:00 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-12 19:00 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 23:49 . 2008-08-11 23:49 <DIR> d-------- C:\ie-spyad_zo
2008-08-11 23:44 . 2008-08-11 23:46 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-11 23:37 . 2008-08-11 23:37 <DIR> d-------- C:\Program Files\Panda Security
2008-08-11 23:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-11 23:22 . 2008-08-11 23:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 22:53 . 2008-08-11 22:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-11 22:24 . 2008-08-14 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\qhmxoxkh
2008-08-11 21:43 . 2008-08-11 21:43 <DIR> d-------- C:\Program Files\khmkzlf
2008-08-11 21:42 . 2008-08-11 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\knmtknoh
2008-08-05 11:07 . 2008-08-05 11:07 <DIR> d-------- C:\Program Files\OutSync
2008-08-02 12:05 . 2008-08-02 12:05 <DIR> d-------- C:\Program Files\iTunes
2008-08-02 12:05 . 2008-08-02 12:05 <DIR> d-------- C:\Program Files\iPod
2008-08-02 12:03 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\QuickTime
2008-08-02 11:59 . 2008-08-02 11:59 <DIR> d-------- C:\Program Files\Safari
2008-07-23 15:55 . 2008-07-23 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Actify
2008-07-23 15:53 . 2008-07-23 15:54 <DIR> d-------- C:\Program Files\Actify

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 12:01 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\IM
2008-08-19 11:42 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\SolidWorks
2008-08-18 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-13 15:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-13 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-12 17:30 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\AVG7
2008-08-12 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-05 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 17:12 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\Apple Computer
2008-08-02 13:41 --------- d-----w C:\Program Files\Google
2008-07-25 17:58 --------- d-----w C:\Program Files\Java
2008-07-16 20:12 --------- d-----w C:\Program Files\FreeMind
2008-07-15 20:15 --------- d-----w C:\Program Files\SolidWorks
2008-07-15 20:15 --------- d-----w C:\Program Files\Common Files\SolidWorks Shared
2008-07-15 20:13 --------- d-----w C:\Program Files\DWGeditor
2008-07-15 20:12 --------- d-----w C:\Program Files\Common Files\eDrawings2008
2008-07-15 20:09 --------- d-----w C:\Program Files\AGEIA Technologies
2008-07-15 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolidWorks
2008-07-15 12:19 --------- d-----w C:\Program Files\Common Files\SolidWorks Installation Manager
2008-07-15 12:06 --------- d-----w C:\Program Files\Samurize
2008-07-11 13:09 --------- d-----w C:\Program Files\Microsoft Money 2007
2008-07-11 12:29 --------- d-----w C:\Program Files\WD
2008-07-11 12:29 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-07-11 12:29 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\WD
2008-07-11 12:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\MemeoCommon
2008-07-11 12:24 --------- d-----w C:\Program Files\Microsoft Money
2008-07-11 12:15 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\GetRightToGo
2008-07-10 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memeo
2008-07-10 23:06 --------- d-----w C:\Program Files\Western Digital Technologies
2008-07-10 23:05 --------- d-----w C:\Program Files\Western Digital
2008-07-02 17:34 --------- d-----w C:\Program Files\Defraggler
2008-07-02 17:33 --------- d-----w C:\Program Files\CCleaner
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 17:26 484904]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-25 08:07 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-25 08:07 81920]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 12:36 872448]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 19:52 145184]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 09:36 827392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 13:12 17920]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 20:51 1187840]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-09 21:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-10-09 15:23 697976]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 10:52 57344]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 09:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2007-01-24 14:28 124928]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 11:00 192512]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SolidWorks_CheckForUpdates"="C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2008-06-14 04:55 6862104]
"WD Drive Manager"="C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 04:50 438272]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968]
"nwiz"="nwiz.exe" [2007-05-25 08:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2007-07-06 08:46 177152 C:\WINDOWS\system32\mqrt.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\mvanflorcke\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe [2008-06-13 23:54:30 488728]

C:\Documents and Settings\ddelaiarro\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe [2008-06-13 23:54:30 488728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-03-14 22:08:19 192512]
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-05-27 12:48:52 542192]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-17 10:07:28 125624]
WD Anywhere Backup Launcher.lnk - C:\WINDOWS\Installer\{649C4B1A-6A76-499A-9AEC-0C9530FA7D2C}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-07-11 08:29:15 9662]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DscSrvMsg"= {39BFB61D-3495-72C9-B720-02D053C532C7} - C:\Program Files\khmkzlf\DscSrvMsg.dll [2008-08-11 21:43 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 12:19 49152 C:\WINDOWS\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4183542209-2861882432-1107640191-6138\Scripts\Logon\0\0]
"Script"=\\tactronics.com\SysVol\tactronics.com\scripts\Map.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4183542209-2861882432-1107640191-6189\Scripts\Logon\0\0]
"Script"=\\tactronics.com\SysVol\tactronics.com\scripts\Map.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-04-26 23:23]
R0 SbAlg;SbAlg;C:\WINDOWS\system32\drivers\SbAlg.sys [2006-10-09 17:31]
R0 SbFsLock;SbFsLock;C:\WINDOWS\system32\drivers\SbFsLock.sys [2007-03-29 20:54]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-04-26 23:23]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:00]
R2 HpFkCryptService;Drive Encryption Service;c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 14:58]
R2 klnagent;Kaspersky Network Agent;C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe [2008-03-17 17:19]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [2008-06-04 16:23]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [2008-06-04 16:23]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 04:52]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-01-23 16:13]
R3 rismc32;RICOH Smart Card Reader;C:\WINDOWS\system32\DRIVERS\rismc32.sys [2006-12-19 21:08]
S3 DAMDrv;DAMDrv;C:\WINDOWS\system32\DRIVERS\DAMDrv.sys [2007-04-23 17:13]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\WINDOWS\system32\flcdlock.exe [2007-04-30 12:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a793d6a0-4ed4-11dd-8002-001f3b32b7cb}]
\Shell\AutoRun\command - F:\wd_windows_tools\WDEULA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 C:\WINDOWS\Tasks\2008 AL East Season.job
- C:\Data Files\docs\Personal\Sports\MLB\2008 MLB Season\2008 AL East Season.xlsx [2008-08-19 10:26]

2008-08-15 C:\WINDOWS\Tasks\Accomplishments.job
- C:\Data Files\docs\Tactronics\Accomplishments.doc [2008-08-15 17:31]

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-19 C:\WINDOWS\Tasks\Junkdrawer_janitor.job
- C:\Data Files\scripts\Junkdrawer_janitor.vbs [2007-11-20 23:52]

2008-08-19 C:\WINDOWS\Tasks\Mozilla Firefox.job
- C:\PROGRA~1\MOZILL~1\firefox.exe [2008-07-17 16:46]

2008-08-19 C:\WINDOWS\Tasks\Personal_email-file-backups.job
- C:\blat262\full\Personal_email-file-backups.bat [2008-03-29 10:54]

2008-08-19 C:\WINDOWS\Tasks\Personal_Fitness_email-file-backups.job
- C:\blat262\full\Personal_Fitness_email-file-backups.bat [2008-03-29 10:54]

2008-08-19 C:\WINDOWS\Tasks\Personal_Sports_email-file-backups.job
- C:\blat262\full\Personal_Sports_email-file-backups.bat [2008-03-29 10:54]

2008-08-19 C:\WINDOWS\Tasks\Personal_Timesheets_email-file-backups.job
- C:\blat262\full\Personal_Timesheets_email-file-backups.bat [2008-03-29 10:54]

2008-08-19 C:\WINDOWS\Tasks\Personal_Visio_Files_email-file-backups.job
- C:\blat262\full\Personal_Visio_Files_email-file-backups.bat [2008-03-29 10:54]

2008-08-18 C:\WINDOWS\Tasks\Projects_archive.job
- C:\Data Files\scripts\Projects_archive.bat [2007-11-20 23:46]

2008-08-19 C:\WINDOWS\Tasks\Projects_janitor.job
- C:\Data Files\scripts\Projects_janitor.vbs [2008-03-24 16:31]

2008-08-18 C:\WINDOWS\Tasks\Sports_archive.job
- C:\Data Files\scripts\Sports_archive.bat [2007-11-20 23:53]

2008-08-19 C:\WINDOWS\Tasks\Sports_janitor.job
- C:\Data Files\scripts\Sports_janitor.vbs [2007-11-20 23:54]

2008-08-15 C:\WINDOWS\Tasks\Water Temp.job
- C:\Data Files\docs\Personal\MS Excel Files\Water Temp.xls [2008-08-15 17:40]

2008-08-19 C:\WINDOWS\Tasks\WeightLogger.job
- C:\Data Files\scripts\WeightLogger.vbs [2008-01-30 11:57]

2008-08-19 C:\WINDOWS\Tasks\Work_5382_file-backups.job
- C:\blat262\full\Work_5382_file-backups.bat [2008-03-29 11:30]

2008-08-19 C:\WINDOWS\Tasks\Work_5390_file-backups.job
- C:\blat262\full\Work_5390_file-backups.bat [2008-03-29 11:37]

2008-08-19 C:\WINDOWS\Tasks\Work_5429-file-backups.job
- C:\blat262\full\Work_5429-file-backups.bat [2008-03-29 10:55]

2008-08-19 C:\WINDOWS\Tasks\Work_Misc-file-backups.job
- C:\blat262\full\Work_Misc-file-backups.bat [2008-03-29 10:55]

2008-08-19 C:\WINDOWS\Tasks\Work_TCx_file-backups.job
- C:\blat262\full\Work_TCx_file-backups.bat [2008-03-29 10:55]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ddelaiarro\Application Data\Mozilla\Firefox\Profiles\e0jx730o.default\
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 08:01:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\DOCUME~1\DDELAI~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-08-20 811 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-20 1207

Pre-Run: 53,778,432,000 bytes free
Post-Run: 54,005,972,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

296 --- E O F --- 2008-08-14 16:02:08
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 06:11 AM   #7 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
=============
HIJACK THIS LOG
=============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:09, on 2008-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\DOCUME~1\DDELAI~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WD Anywhere Backup Launcher.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17742E0F-5D65-4606-867D-A3FCF9F4A77E} (SWActiveX Control) - http://www.3dcontentcentral.com/dlls...UploadTool.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tactronics.com
O17 - HKLM\Software\..\Telephony: DomainName = tactronics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tactronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tactronics.com
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll
O21 - SSODL: DscSrvMsg - {39BFB61D-3495-72C9-B720-02D053C532C7} - C:\Program Files\khmkzlf\DscSrvMsg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2008 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 12204 bytes
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 06:13 AM   #8 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
=============
VIRUSTOOL SCAN
=============

File DscSrvMsg.dll received on 08.20.2008 14:12:12 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 2/36 (5.56%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.19.0 2008.08.20 -
AntiVir 7.8.1.23 2008.08.20 -
Authentium 5.1.0.4 2008.08.20 -
Avast 4.8.1195.0 2008.08.19 -
AVG 8.0.0.161 2008.08.20 Win32/Heur
BitDefender 7.2 2008.08.20 -
CAT-QuickHeal 9.50 2008.08.19 -
ClamAV 0.93.1 2008.08.19 -
DrWeb 4.44.0.09170 2008.08.20 -
eSafe 7.0.17.0 2008.08.19 -
eTrust-Vet 31.6.6036 2008.08.19 -
Ewido 4.0 2008.08.20 -
F-Prot 4.4.4.56 2008.08.19 -
F-Secure 7.60.13501.0 2008.08.20 -
Fortinet 3.14.0.0 2008.08.20 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.20 -
K7AntiVirus 7.10.421 2008.08.19 -
Kaspersky 7.0.0.125 2008.08.20 -
McAfee 5364 2008.08.19 -
Microsoft 1.3807 2008.08.20 -
NOD32v2 3370 2008.08.20 -
Norman 5.80.02 2008.08.20 -
Panda 9.0.0.4 2008.08.19 -
PCTools 4.4.2.0 2008.08.19 -
Prevx1 V2 2008.08.20 -
Rising 20.58.22.00 2008.08.20 -
Sophos 4.32.0 2008.08.20 Mal/EncPk-DG
Sunbelt 3.1.1564.1 2008.08.20 -
Symantec 10 2008.08.20 -
TheHacker 6.3.0.5.054 2008.08.19 -
TrendMicro 8.700.0.1004 2008.08.20 -
VBA32 3.12.8.3 2008.08.20 -
ViRobot 2008.8.20.1342 2008.08.20 -
VirusBuster 4.5.11.0 2008.08.19 -
Webwasher-Gateway 6.6.2 2008.08.20 -
Additional information
File size: 126976 bytes
MD5...: b52dbfda2ccfe035307592b3da6d8c2a
SHA1..: df1a3c6b0be71db9860d850246e641f6a01b7e2d
SHA256: 2aaf8fc12db45940b26c47dd1763002314973ada402f993a11f410bb99802d3c
SHA512: 520013676e85707f9bd83808b5b7fdee9f2ceb6792f39c3caa53520f947cf22b
d34f01f8a7055da2055fc67065c8f61caebc5660fd2fbf9d71112892deea9450
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001369
timedatestamp.....: 0x48a0c4f4 (Mon Aug 11 23:02:12 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.stui 0x1000 0x198ca 0x1a000 6.88 96ae84b60b352cd28ee9dc111cfe73f8
.iywgbw 0x1b000 0x761 0x1000 3.04 839289d9a4d956f78eb3e5df357f9e33
.aycck 0x1c000 0x1fc4 0x1000 0.49 b39c6a1e8465dd519a7ff8b0d7b03a3f
.reloc 0x1e000 0x1974 0x2000 6.00 4dbe5cb2eea15df7bd22e671a7b55a41

( 4 imports )
> KERNEL32.dll: lstrlenW, GetModuleHandleW, InterlockedIncrement, Sleep, GetCurrentThreadId, GetCurrentThread, ReadProcessMemory, SetLastError, GetFileAttributesW, LoadLibraryA, FreeResource, WriteFile, SetEndOfFile, GetTickCount, GetLastError, SetFilePointer, SetThreadPriority, GetProcAddress, FileTimeToSystemTime, GetCurrentProcess, FindFirstFileW, FreeLibrary, GetPrivateProfileStringW, GetCurrentProcessId, FindResourceExW
> USER32.dll: SetCapture, GetWindowThreadProcessId, GetWindowDC, IsWindow, wsprintfW, SetLayeredWindowAttributes, EnableWindow, SetForegroundWindow, EndDialog, DestroyMenu, RegisterHotKey, LoadImageW, MessageBoxW, SetWindowPos, SystemParametersInfoW, CreateWindowExW, PostThreadMessageW, PostMessageW
> GDI32.dll: MoveToEx, BitBlt, DeleteDC, CreateCompatibleBitmap, CreateBitmap, SelectObject, CreateICW, GetMapMode, CreateFontIndirectW, Rectangle, CreateCompatibleDC, CreateRoundRectRgn
> ADVAPI32.dll: RegCloseKey, RegDeleteValueW, RegQueryValueExW, RegNotifyChangeKeyValue, RegOpenKeyExW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 08:44 AM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,196
OS: 2000 Pro; XP Pro; XP Home


Re: Blue "Spyware detected on your computer!" desktop
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/279480-blue-spyware-detected-your-computer-desktop.html

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "DscSrvMsg"=-

    Collect::
    C:\Program Files\khmkzlf\DscSrvMsg.dll

    DirLook::
    C:\Program Files\khmkzlf
    C:\Documents and Settings\All Users\Application Data\knmtknoh
    C:\Documents and Settings\All Users\Application Data\qhmxoxkh
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------
  6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 07:12 PM   #10 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
===============
CFScript.txt Log File
===============

ComboFix 08-08-19.06 - dDeLaiarro 2008-08-20 21:03:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2456 [GMT -4:00]
Running from: C:\Documents and Settings\ddelaiarro\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ddelaiarro\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\khmkzlf\DscSrvMsg.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-20 12:47 . 2008-08-20 12:47 284,876 --a------ C:\WINDOWS\system32\setup.inx
2008-08-20 10:43 . 2004-08-04 09:00 19,456 --a------ C:\WINDOWS\system32\dllcache\agt040d.dll
2008-08-20 10:43 . 2004-08-04 09:00 5,632 --a------ C:\WINDOWS\system32\kbdusa.dll
2008-08-20 10:43 . 2004-08-04 09:00 5,632 --a------ C:\WINDOWS\system32\dllcache\kbdusa.dll
2008-08-20 10:42 . 2004-08-04 09:00 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2008-08-20 10:42 . 2004-08-04 09:00 6,144 --a------ C:\WINDOWS\system32\dllcache\ftlx041e.dll
2008-08-14 12:01 . 2008-08-14 12:01 276 --a------ C:\WINDOWS\system32\MRT.INI
2008-08-13 17:05 . 2008-08-14 12:02 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-13 14:53 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 11:23 . 2008-08-13 11:23 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-13 11:23 . 2008-08-13 11:23 <DIR> d-------- C:\Program Files\Common Files\Kaspersky Lab
2008-08-13 11:23 . 2008-08-13 11:23 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-08-12 20:28 . 2008-08-12 20:37 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-12 19:00 . 2008-08-12 19:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 19:00 . 2008-08-12 19:00 <DIR> d-------- C:\Documents and Settings\ddelaiarro\Application Data\Malwarebytes
2008-08-12 19:00 . 2008-08-12 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 19:00 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-12 19:00 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 23:49 . 2008-08-11 23:49 <DIR> d-------- C:\ie-spyad_zo
2008-08-11 23:44 . 2008-08-11 23:46 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-11 23:37 . 2008-08-11 23:37 <DIR> d-------- C:\Program Files\Panda Security
2008-08-11 23:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-11 23:22 . 2008-08-11 23:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 22:53 . 2008-08-11 22:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-11 22:24 . 2008-08-14 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\qhmxoxkh
2008-08-11 21:43 . 2008-08-20 21:04 <DIR> d-------- C:\Program Files\khmkzlf
2008-08-11 21:42 . 2008-08-11 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\knmtknoh
2008-08-05 11:07 . 2008-08-05 11:07 <DIR> d-------- C:\Program Files\OutSync
2008-08-02 12:05 . 2008-08-02 12:05 <DIR> d-------- C:\Program Files\iTunes
2008-08-02 12:05 . 2008-08-02 12:05 <DIR> d-------- C:\Program Files\iPod
2008-08-02 12:03 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\QuickTime
2008-08-02 11:59 . 2008-08-02 11:59 <DIR> d-------- C:\Program Files\Safari
2008-07-23 15:55 . 2008-07-23 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Actify
2008-07-23 15:53 . 2008-07-23 15:54 <DIR> d-------- C:\Program Files\Actify

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 00:56 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\IM
2008-08-20 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-20 12:24 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\SolidWorks
2008-08-13 15:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-13 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-12 17:30 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\AVG7
2008-08-12 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-05 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 17:12 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\Apple Computer
2008-08-02 13:41 --------- d-----w C:\Program Files\Google
2008-07-25 17:58 --------- d-----w C:\Program Files\Java
2008-07-16 20:12 --------- d-----w C:\Program Files\FreeMind
2008-07-15 20:15 --------- d-----w C:\Program Files\SolidWorks
2008-07-15 20:15 --------- d-----w C:\Program Files\Common Files\SolidWorks Shared
2008-07-15 20:13 --------- d-----w C:\Program Files\DWGeditor
2008-07-15 20:12 --------- d-----w C:\Program Files\Common Files\eDrawings2008
2008-07-15 20:09 --------- d-----w C:\Program Files\AGEIA Technologies
2008-07-15 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolidWorks
2008-07-15 12:19 --------- d-----w C:\Program Files\Common Files\SolidWorks Installation Manager
2008-07-15 12:06 --------- d-----w C:\Program Files\Samurize
2008-07-11 13:09 --------- d-----w C:\Program Files\Microsoft Money 2007
2008-07-11 12:29 --------- d-----w C:\Program Files\WD
2008-07-11 12:29 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-07-11 12:29 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\WD
2008-07-11 12:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\MemeoCommon
2008-07-11 12:24 --------- d-----w C:\Program Files\Microsoft Money
2008-07-11 12:15 --------- d-----w C:\Documents and Settings\ddelaiarro\Application Data\GetRightToGo
2008-07-10 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memeo
2008-07-10 23:06 --------- d-----w C:\Program Files\Western Digital Technologies
2008-07-10 23:05 --------- d-----w C:\Program Files\Western Digital
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-02 17:34 --------- d-----w C:\Program Files\Defraggler
2008-07-02 17:33 --------- d-----w C:\Program Files\CCleaner
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\knmtknoh ----


---- Directory of C:\Documents and Settings\All Users\Application Data\qhmxoxkh ----


---- Directory of C:\Program Files\khmkzlf ----

2008-08-11 21:43 126976 --a------ C:\Program Files\khmkzlf\DscSrvMsg.dll


((((((((((((((((((((((((((((( snapshot@2008-08-20_ 8.05.52.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-13 15:24:00 49,152 ----a-r C:\WINDOWS\Installer\{7C72AAB5-8A7D-4882-950C-A1F26A949DA3}\ARPPRODUCTICON.exe
+ 2008-08-20 16:47:44 49,152 ----a-r C:\WINDOWS\Installer\{7C72AAB5-8A7D-4882-950C-A1F26A949DA3}\ARPPRODUCTICON.exe
+ 2004-08-04 13:00:00 19,456 ----a-w C:\WINDOWS\system32\dllcache\agt0401.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbda1.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbda2.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbda3.dll
+ 2004-08-04 13:00:00 5,120 ----a-w C:\WINDOWS\system32\dllcache\kbdarme.dll
+ 2004-08-04 13:00:00 5,120 ----a-w C:\WINDOWS\system32\dllcache\kbdarmw.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbddiv1.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbddiv2.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdfa.dll
+ 2004-08-04 13:00:00 5,120 ----a-w C:\WINDOWS\system32\dllcache\kbdgeo.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdheb.dll
+ 2004-08-04 13:00:00 6,144 ----a-w C:\WINDOWS\system32\dllcache\kbdinbe1.dll
+ 2004-08-04 13:00:00 6,656 ----a-w C:\WINDOWS\system32\dllcache\kbdinben.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdindev.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdinguj.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdinhin.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdinkan.dll
+ 2004-08-04 13:00:00 6,656 ----a-w C:\WINDOWS\system32\dllcache\kbdinmal.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdinmar.dll
+ 2004-08-04 13:00:00 6,144 ----a-w C:\WINDOWS\system32\dllcache\kbdinpun.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdintam.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdintel.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdsyr1.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdsyr2.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdth0.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdth1.dll
+ 2004-08-04 13:00:00 6,144 ----a-w C:\WINDOWS\system32\dllcache\kbdth2.dll
+ 2004-08-04 13:00:00 6,144 ----a-w C:\WINDOWS\system32\dllcache\kbdth3.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdurdu.dll
+ 2004-08-04 13:00:00 5,632 ----a-w C:\WINDOWS\system32\dllcache\kbdvntc.dll
+ 2004-08-04 13:00:00 185,344 ----a-w C:\WINDOWS\system32\dllcache\thawbrkr.dll
- 2008-07-15 20:28:20 410,288 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-08-20 14:47:31 337,056 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-08-04 08:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdinbe1.dll
+ 2004-08-04 13:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdinbe1.dll
- 2004-08-04 08:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdinben.dll
+ 2004-08-04 13:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdinben.dll
- 2004-08-04 08:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdinmal.dll
+ 2004-08-04 13:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdinmal.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 17:26 484904]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-25 08:07 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-25 08:07 81920]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 12:36 872448]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 19:52 145184]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 09:36 827392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 13:12 17920]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 20:51 1187840]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-09 21:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-10-09 15:23 697976]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 10:52 57344]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 09:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 09:00 455168]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2007-01-24 14:28 124928]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 11:00 192512]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SolidWorks_CheckForUpdates"="C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2008-06-14 04:55 6862104]
"WD Drive Manager"="C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 04:50 438272]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968]
"nwiz"="nwiz.exe" [2007-05-25 08:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2007-07-06 08:46 177152 C:\WINDOWS\system32\mqrt.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\mvanflorcke\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe [2008-06-13 23:54:30 488728]

C:\Documents and Settings\ddelaiarro\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe [2008-06-13 23:54:30 488728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-03-14 22:08:19 192512]
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-05-27 12:48:52 542192]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-17 10:07:28 125624]
WD Anywhere Backup Launcher.lnk - C:\WINDOWS\Installer\{649C4B1A-6A76-499A-9AEC-0C9530FA7D2C}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-07-11 08:29:15 9662]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 12:19 49152 C:\WINDOWS\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4183542209-2861882432-1107640191-6138\Scripts\Logon\0\0]
"Script"=\\tactronics.com\SysVol\tactronics.com\scripts\Map.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4183542209-2861882432-1107640191-6189\Scripts\Logon\0\0]
"Script"=\\tactronics.com\SysVol\tactronics.com\scripts\Map.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-04-26 23:23]
R0 SbAlg;SbAlg;C:\WINDOWS\system32\drivers\SbAlg.sys [2006-10-09 17:31]
R0 SbFsLock;SbFsLock;C:\WINDOWS\system32\drivers\SbFsLock.sys [2007-03-29 20:54]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-04-26 23:23]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:00]
R2 HpFkCryptService;Drive Encryption Service;c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 14:58]
R2 klnagent;Kaspersky Network Agent;C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe [2008-03-17 17:19]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [2008-06-04 16:23]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [2008-06-04 16:23]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 04:52]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-01-23 16:13]
R3 rismc32;RICOH Smart Card Reader;C:\WINDOWS\system32\DRIVERS\rismc32.sys [2006-12-19 21:08]
S3 DAMDrv;DAMDrv;C:\WINDOWS\system32\DRIVERS\DAMDrv.sys [2007-04-23 17:13]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\WINDOWS\system32\flcdlock.exe [2007-04-30 12:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a793d6a0-4ed4-11dd-8002-001f3b32b7cb}]
\Shell\AutoRun\command - F:\wd_windows_tools\WDEULA.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\2008 AL East Season.job
- C:\Data Files\docs\Personal\Sports\MLB\2008 MLB Season\2008 AL East Season.xlsx [2008-08-20 10:44]

2008-08-15 C:\WINDOWS\Tasks\Accomplishments.job
- C:\Data Files\docs\Tactronics\Accomplishments.doc [2008-08-15 17:31]

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-20 C:\WINDOWS\Tasks\Junkdrawer_janitor.job
- C:\Data Files\scripts\Junkdrawer_janitor.vbs [2007-11-20 23:52]

2008-08-20 C:\WINDOWS\Tasks\Mozilla Firefox.job
- C:\PROGRA~1\MOZILL~1\firefox.exe [2008-07-17 16:46]

2008-08-20 C:\WINDOWS\Tasks\Personal_email-file-backups.job
- C:\blat262\full\Personal_email-file-backups.bat [2008-03-29 10:54]

2008-08-20 C:\WINDOWS\Tasks\Personal_Fitness_email-file-backups.job
- C:\blat262\full\Personal_Fitness_email-file-backups.bat [2008-03-29 10:54]

2008-08-20 C:\WINDOWS\Tasks\Personal_Sports_email-file-backups.job
- C:\blat262\full\Personal_Sports_email-file-backups.bat [2008-03-29 10:54]

2008-08-20 C:\WINDOWS\Tasks\Personal_Timesheets_email-file-backups.job
- C:\blat262\full\Personal_Timesheets_email-file-backups.bat [2008-03-29 10:54]

2008-08-20 C:\WINDOWS\Tasks\Personal_Visio_Files_email-file-backups.job
- C:\blat262\full\Personal_Visio_Files_email-file-backups.bat [2008-03-29 10:54]

2008-08-20 C:\WINDOWS\Tasks\Projects_archive.job
- C:\Data Files\scripts\Projects_archive.bat [2007-11-20 23:46]

2008-08-20 C:\WINDOWS\Tasks\Projects_janitor.job
- C:\Data Files\scripts\Projects_janitor.vbs [2008-03-24 16:31]

2008-08-20 C:\WINDOWS\Tasks\Sports_archive.job
- C:\Data Files\scripts\Sports_archive.bat [2007-11-20 23:53]

2008-08-20 C:\WINDOWS\Tasks\Sports_janitor.job
- C:\Data Files\scripts\Sports_janitor.vbs [2007-11-20 23:54]

2008-08-15 C:\WINDOWS\Tasks\Water Temp.job
- C:\Data Files\docs\Personal\MS Excel Files\Water Temp.xls [2008-08-15 17:40]

2008-08-20 C:\WINDOWS\Tasks\WeightLogger.job
- C:\Data Files\scripts\WeightLogger.vbs [2008-01-30 11:57]

2008-08-20 C:\WINDOWS\Tasks\Work_5382_file-backups.job
- C:\blat262\full\Work_5382_file-backups.bat [2008-03-29 11:30]

2008-08-20 C:\WINDOWS\Tasks\Work_5390_file-backups.job
- C:\blat262\full\Work_5390_file-backups.bat [2008-03-29 11:37]

2008-08-20 C:\WINDOWS\Tasks\Work_5429-file-backups.job
- C:\blat262\full\Work_5429-file-backups.bat [2008-03-29 10:55]

2008-08-20 C:\WINDOWS\Tasks\Work_Misc-file-backups.job
- C:\blat262\full\Work_Misc-file-backups.bat [2008-03-29 10:55]

2008-08-20 C:\WINDOWS\Tasks\Work_TCx_file-backups.job
- C:\blat262\full\Work_TCx_file-backups.bat [2008-03-29 10:55]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 2146
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 21:07:59
ComboFix-quarantined-files.txt 2008-08-21 01:07:45
ComboFix2.txt 2008-08-20 1211

Pre-Run: 53,711,810,560 bytes free
Post-Run: 53,724,639,232 bytes free

311 --- E O F --- 2008-08-14 16:02:08
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 07:14 PM   #11 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
===========
HiJackThis Log
===========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12, on 2008-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WD Anywhere Backup Launcher.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17742E0F-5D65-4606-867D-A3FCF9F4A77E} (SWActiveX Control) - http://www.3dcontentcentral.com/dlls...UploadTool.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tactronics.com
O17 - HKLM\Software\..\Telephony: DomainName = tactronics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tactronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tactronics.com
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2008 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 11915 bytes
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 07:22 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,196
OS: 2000 Pro; XP Pro; XP Home


Re: Blue "Spyware detected on your computer!" desktop
Spyhunter was once listed as a rogue application. Though it's been de-listed, I personally would not have it on my machines. It can be uninstalled via Add or Remove Programs should you so choose.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.


Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Let me know how the machine is behaving, also.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-21-2008, 04:38 AM   #13 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 21, 2008 02:51:15
Records in database: 1116274
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
M:\
T:\
Z:\

Scan statistics:
Files scanned: 169211
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:35:35

No malware has been detected. The scan area is clean.

The selected area was scanned.
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-21-2008, 04:39 AM   #14 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
Machine seems to be running fine recently. I can get into Task Manager and can change desktop settings now. The performance of the machine seems to be up to par with what it was before the virus hit.
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-21-2008, 09:05 AM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,196
OS: 2000 Pro; XP Pro; XP Home


Re: Blue "Spyware detected on your computer!" desktop
These folders are likely remnants of infection. They appear to be empty, and can be deleted. Please check them first, to ensure they are indeed empty. If they are not, don't delete them, and let me know.

C:\Documents and Settings\All Users\Application Data\knmtknoh
C:\Documents and Settings\All Users\Application Data\qhmxoxkh
C:\Program Files\khmkzlf

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • FIREWALL
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 06:05 AM   #16 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 11
OS: XP


Re: Blue "Spyware detected on your computer!" desktop
Sorry for the delay. It seems as though I don't get any emails notifying me there are responses even though I signed up for immediate notification.

Regardless, I deleted both folders (they were both empty).

I also removed ComboFix via the directions you gave above. I'm now doing more research into the options you've presented for software and will be implementing them today.

Thanks again for all your help.

Dan
ddelaiarro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:59 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85