Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: I even have unwanted music playing!

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    7

    Unhappy I even have unwanted music playing!

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 9:54:12 PM, on 3/2/2008
    Platform: Windows XP (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\VTTimer.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
    C:\windows\system32\rwwnw64d.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    C:\WINDOWS\SYSTEM32\kcntqmwb.exe
    C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Weaver\Desktop\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {CB460112-259C-4607-86E7-D4A2F554C8A3} - (no file)
    O2 - BHO: 0 - {E1188832-660D-4473-CEB7-B8C9C4DA22F9} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
    O4 - HKLM\..\Run: [{50-0A-AF-F0-DW}] C:\windows\system32\rwwnw64d.exe DWram
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
    O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
    O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\kcntqmwb.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187979134998
    O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187979108608
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O20 - Winlogon Notify: gebcd - C:\WINDOWS\
    O21 - SSODL: zip - {85c43cce-ed85-43aa-803f-10163c1d761d} - C:\WINDOWS\Installer\{85c43cce-ed85-43aa-803f-10163c1d761d}\zip.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\CHAT\xupregi.html

    --
    End of file - 9339 bytes
    Thanks so much!

    Kathee

  2. #2
    Junior Member
    Join Date
    Mar 2008
    Posts
    7

    Default

    Sunday, March 02, 2008 9:37:22 PM
    Operating System: Microsoft Windows XP Professional, (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 3/03/2008
    Kaspersky Anti-Virus database records: 593839


    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true

    Scan Target My Computer
    A:\
    C:\
    D:\
    E:\

    Scan Statistics
    Total number of scanned objects 82008
    Number of viruses found 13
    Number of infected objects 31
    Number of suspicious objects 0
    Duration of the scan process 01:30:46

    Infected Object Name Virus Name Last Action
    C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped

    C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\SYSTEM32\lpwnw64s.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped

    C:\WINDOWS\SYSTEM32\iDlo01\iDlo011065.exe Infected: Trojan-Downloader.Win32.VB.caw skipped

    C:\WINDOWS\SYSTEM32\c4\np89104.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped

    C:\WINDOWS\SYSTEM32\c4\np89104.exe NSIS: infected - 1 skipped

    C:\WINDOWS\SYSTEM32\k8\ravecom3.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped

    C:\WINDOWS\SYSTEM32\r2\renabcom4.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped

    C:\WINDOWS\SYSTEM32\rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped

    C:\WINDOWS\SYSTEM32\kcntqmwb.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped

    C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\Sti_Trace.log Object is locked skipped

    C:\WINDOWS\wiaservc.log Object is locked skipped

    C:\WINDOWS\wiadebug.log Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\Program Files\CHAT\xupregi.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\NetMeeting\luposa89104.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped

    C:\Program Files\CA\SharedComponents\PPRT\logs\2008-03-02.csv Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\CA\eTrustPestPatrol\CAPPAPLog.txt Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Temp\~DF4296.tmp Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Temp\~DF476A.tmp Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Temp\~DF53FA.tmp Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Temp\~DF9DD9.tmp Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\History\History.IE5\MSHist012008030220080303\index.dat Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Application Data\Microsoft\Speech\Files\MSASR\SP_2951F14DFAA5467D9CB98DAEFBA318FB.dat Object is locked skipped

    C:\Documents and Settings\Weaver\Local Settings\Application Data\Microsoft\Speech\Files\MSASR\SP_9A23BC92E7264B0A8C1734E59029FAD8.dat Object is locked skipped

    C:\Documents and Settings\Weaver\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\Weaver\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\Weaver\ntuser.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP437\A0115866.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP443\A0118139.exe Infected: Trojan-Dropper.Win32.Agent.esi skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP443\A0118150.dll Infected: Trojan.Win32.Agent.fhg skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP443\A0118151.dll Infected: Trojan.Win32.Agent.fhg skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP443\A0118152.exe Infected: Backdoor.Win32.Small.cwc skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP444\A0118155.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP446\A0121179.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0121234.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0121235.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0121266.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0121281.exe Infected: Trojan-Downloader.Win32.VB.caw skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0121282.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0121283.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0122291.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP447\A0122309.dll Infected: not-a-virus:AdWare.Win32.Rabio.h skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP449\A0123309.exe Infected: Backdoor.Win32.Small.cwc skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP449\A0123310.exe Infected: Backdoor.Win32.Small.cwc skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP449\A0123311.exe Infected: Backdoor.Win32.Small.cwc skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP449\A0123314.exe Infected: Backdoor.Win32.Small.cwc skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP449\A0123315.exe Infected: Backdoor.Win32.Small.cwc skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP449\A0123316.exe Infected: Backdoor.Win32.Small.cwc skipped

    C:\System Volume Information\_restore{2CBDD955-83D2-4907-A991-3703894FA303}\RP449\change.log Object is locked skipped

    Scan process completed.
    Thanks so much!

    Kathee

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,538

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Thanks for posting the correct information, you would be supprised how few do. You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

    Kathee, we may have to drag out some tools for this one, you have some nasty trojans, but I want to try it first manually. Please follow the directions in the posted order.

    1) You need to review the "Before your Post" instructions again, you are using an out of date version of HJT and that is covered plainly in the instructions. Do this:

    Download Trend Micro Hijack This™
    http://download.bleepingcomputer.com...HJTInstall.exe
    Doubleclick the HJTInstall.exe to start it.
    By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
    HijackThis will open after install. Press the Scan button below.
    This will start the scan and open a log.
    Copy and paste the contents of the log in your next reply. (when we finish)

    2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
    * Run Spybot-S&D in Advanced Mode.
    * If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    * On the left hand side, Click on Tools
    * Then click on the Resident Icon in the List
    * Uncheck "Resident TeaTimer" and OK any prompts.
    * Restart your computer.
    (leave TT disabled until we finish)

    3) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    4) Please download ATF Cleaner by Atribune
    http://www.atribune.org/public-beta/ATF-Cleaner.exe
    Save it to your Desktop. We will use this later.

    5) Start > Control Panel > Add Remove programs > Look for ZenoSearch and uninstall it if there. Uninstall any program you know should not be there. If you are not sure about something, let me know and I will look.

    6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    (if you want that Start Page, you may leave it)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
    O2 - BHO: (no name) - {CB460112-259C-4607-86E7-D4A2F554C8A3} - (no file)
    O2 - BHO: 0 - {E1188832-660D-4473-CEB7-B8C9C4DA22F9} - (no file)
    O4 - HKLM\..\Run: [{50-0A-AF-F0-DW}] C:\windows\system32\rwwnw64d.exe DWram
    O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
    O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\kcntqmwb.exe
    (next two are Alexa related resource wasters, if you use Alexa, you may leave them)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O20 - Winlogon Notify: gebcd - C:\WINDOWS\
    O21 - SSODL: zip - {85c43cce-ed85-43aa-803f-10163c1d761d} - C:\WINDOWS\Installer\{85c43cce-ed85-43aa-803f-10163c1d761d}\zip.dll
    O24 - Desktop Component 0: (no name) - C:\Program Files\CHAT\xupregi.html

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    7) Right click Start > Explore and navigate to these files/folders and delete them if there.

    (if they are folders, delete the contents also)

    C:\WINDOWS\SYSTEM32\kcntqmwb.exe <<< file

    C:\windows\system32\rwwnw64d.exe <<< file

    C:\WINDOWS\SYSTEM32\lpwnw64s.exe <<< file

    C:\WINDOWS\SYSTEM32\iDlo01\ <<< folder

    C:\WINDOWS\SYSTEM32\c4\ <<< folder

    C:\WINDOWS\SYSTEM32\k8\ <<< folder

    C:\WINDOWS\SYSTEM32\r2\ <<< folder

    C:\Program Files\CHAT\xupregi.html <<< file

    C:\Program Files\NetMeeting\luposa89104.dll <<< file


    8) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart and post a new HJT log with some feedback.

    That's a start...Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  4. #4
    Junior Member
    Join Date
    Mar 2008
    Posts
    7

    Default

    thankyou so much for your helpI followed your directions exactally only problem was I couldnt find ZenoSearch (#5) or xupregi.html int the chat folder in the programs file (#7)my ca antispy is telling me it found 2 adwares: CiDhelp*and Zenotecnico here is the new HJT log** *Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:11:06 AM, on 3/3/2008Platform: Windows XP* (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\VTTimer.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [SystemTray] SysTray.ExeO4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -kO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe"O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...unicode.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpa...der1006.cabO16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...estscan.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/...ME_UNO1.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...base370.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...87979134998O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...install.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...87979108608O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...webscan.cabO16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...nloader.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...ab56907.cabO21 - SSODL: zip - {85c43cce-ed85-43aa-803f-10163c1d761d} - C:\WINDOWS\Installer\{85c43cce-ed85-43aa-803f-10163c1d761d}\zip.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exeO23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exeO23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe--End of file - 8255 bytes
    Thanks so much!

    Kathee

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,538

    Default

    Hi Kathee, I don't know what you have done, but this information is useless to me. Please read the directions again, make sure word wrap is not turned on or something. Now look at the first HJT log you posted. This HJT log should look similiar to it except instead of Beta it is the correct version, please try aid to post a HJT log.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Junior Member
    Join Date
    Mar 2008
    Posts
    7

    Default

    ok lets hope this looks better

    Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:45:17 AM, on 3/3/2008Platform: Windows XP* (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\VTTimer.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exeC:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exeC:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [SystemTray] SysTray.ExeO4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -kO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe"O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...unicode.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpa...der1006.cabO16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...estscan.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/...ME_UNO1.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...base370.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...87979134998O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...install.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...87979108608O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...webscan.cabO16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...nloader.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...ab56907.cabO21 - SSODL: zip - {85c43cce-ed85-43aa-803f-10163c1d761d} - C:\WINDOWS\Installer\{85c43cce-ed85-43aa-803f-10163c1d761d}\zip.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exeO23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exeO23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe--End of file - 8129 bytes
    Thanks so much!

    Kathee

  7. #7
    Junior Member
    Join Date
    Mar 2008
    Posts
    7

    Default

    still trying here I think I found the problem

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:45:17 AM, on 3/3/2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\VTTimer.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187979134998
    O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187979108608
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O21 - SSODL: zip - {85c43cce-ed85-43aa-803f-10163c1d761d} - C:\WINDOWS\Installer\{85c43cce-ed85-43aa-803f-10163c1d761d}\zip.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe

    --
    End of file - 8129 bytes
    Thanks so much!

    Kathee

  8. #8
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,538

    Default

    Sorry Kathee, The HJT log is correct now, but we have another major issue.

    See this information, make sure you read that information carefully:
    http://forums.spybot.info/showthread.php?t=425

    Update Your Windows XP.
    You are currently using an unpatched version of Windows XP.
    Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
    Get SP1a here : http://www.microsoft.com/windowsxp/d...1/default.mspx
    You should also get SP2, but NOT NOW, rather only after your machine is clean.
    After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  9. #9
    Junior Member
    Join Date
    Mar 2008
    Posts
    7

    Default

    I used that link and also tried earlier but here are the only choices it gives me:

    Select High-Priority Updates
    To help protect your computer against security threats and performance problems, we strongly recommend you install all high-priority updates.


    Restore and Check Again Only selected updates will appear the next time you check for updates.




    Review and install updates Total: 2 updates , 57.6 MB , 4 minutes


    High-priority updates
    Microsoft Office 2002/XP



    Office XP Service Pack 3
    Download size: 57.6 MB , 4 minutes
    Office XP Service Pack 3 (SP3) provides the latest updates to Microsoft Office XP. SP3 contains significant security enhancements, as well as stability and performance improvements. This service pack applies to any level of Office XP. It contains all updates included in SP1 and SP2, in addition to updates released after SP2. SP3 applies to the following Office XP products: Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, Access 2002, FrontPage 2002, Publisher 2002, and Office XP Web Components. Details...
    Don't show this update again
    Microsoft CAPICOM



    Security Update for CAPICOM (KB931906)



    now what?
    Thanks so much!

    Kathee

  10. #10
    Junior Member
    Join Date
    Mar 2008
    Posts
    7

    Default

    I am starting to think that I need to just buy a new computer. Do you think that is the case? The only reason I havnt is that I cant afford it right now So if there is a way to salvage this one I would be forever grateful
    Thanks so much!

    Kathee

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •