Windows Security Alert - Every 5 minutes

**r_montgomery** · 2007-09-23, 16:06

I get a message "Windows Security Alert, Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unauthorised access to your files! Click YES to download spyware remover..." (Complete with misspelled words.) Norton has removed a trojan, but I keep getting the message. I tried to turn off system restore, but my control panel is missing???

I would SINCERELY appreciate any help. I downloaded and ran HiJackThis, and this is the log file from the scan performed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:13 AM, on 9/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\found.000\dir0054.chk\SetPoint\KEM.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [PlayCenter2] "C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\found.000\dir0054.chk\SetPoint\KEM.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187527391625
O20 - AppInit_DLLs: systems.txt
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9811 bytes

**steamwiz** · 2007-09-23, 18:13

Hi

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

THEN ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com...a/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

1. C:\rapport.txt file
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)

steam

**r_montgomery** · 2007-09-24, 13:02

That was amazing. Thanks Steam. My hat goes off to you. SUPERantispyware seems to have found all of the problems, but I still couldn't see the control panel or access anything about the system in my computer. (And I couldn't view the Symantec website, like Norton kept asking me to do.) However, after running ComboFix, all of that came back as well. Thanks again for restoring my computer. I'm surprised Norton couldn't fix this, but the problem seems to have tied it's hands. After viewing the logfiles you asked for, I would appreciate any insight into this problem you might have. Thanks again. (Because of the length, the log files will be in more than one post.)

PS - I got very low on hard drive space the other day, and I wondered if that caused my control panel problem, or if was really the virus that arrived at about the same time...

SmitFraudFix v2.227

Scan done at 21:46:05.60, Sun 09/23/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\found.000\dir0054.chk\SetPoint\KEM.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\Corel\WordPerfect Office 2002\Programs\PrintServer100.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\printer.exe FOUND !
C:\WINDOWS\system32\WinAvXX.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\system.exe FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="systems.txt"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA9B002B-58D3-48F9-B284-03751BFA3B2B}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EA9B002B-58D3-48F9-B284-03751BFA3B2B}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EA9B002B-58D3-48F9-B284-03751BFA3B2B}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/24/2007 at 03:15 AM

Application Version : 3.9.1008

Core Rules Database Version : 3311
Trace Rules Database Version: 1315

Scan type : Complete Scan
Total Scan Time : 05:08:34

Memory items scanned : 558
Memory threats detected : 1
Registry items scanned : 5519
Registry threats detected : 4
File items scanned : 218647
File threats detected : 26

Trojan.Net-AVP/AVT
C:\WINDOWS\SYSTEM32\PRINTER.EXE
C:\WINDOWS\SYSTEM32\PRINTER.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
C:\WINDOWS\SYSTEM32\WINAVXX.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\System32\WinAvXX.exe ]
HKU\S-1-5-21-4113586923-2583412229-520591771-500\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\System32\WinAvXX.exe ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\AUTORUN.EXE
C:\WINDOWS\Prefetch\PRINTER.EXE-02CF0818.pf

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.m5prod[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1067912086[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1070791529[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.m5prod[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adlegend[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adrevolver[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@hollywoodentertainment.122.2o7[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@roiservice[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@trafficmp[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[2].txt

Trojan.Downloader-JKill
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\JKILL.EXE

**r_montgomery** · 2007-09-24, 13:05

ComboFix 07-09-21.2 - "Administrator" 2007-09-24 3:45:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.591 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\w.exe
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\msxml4.dll
C:\WINDOWS\system32\system\msxml4r.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-24 03:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-23 21:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-23 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-23 21:50 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-23 21:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-23 21:46 4,696 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-23 21:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-23 21:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-23 21:45 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-23 21:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-23 16:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ErrorSmart
2007-09-23 16:17 <DIR> d-------- C:\Program Files\ErrorSmart
2007-09-23 10:10 <DIR> d-------- C:\VundoFix Backups
2007-09-23 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 08:40 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-17 20:43 49,664 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-17 20:43 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-17 20:43 46,080 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2007-09-17 20:43 46,080 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-09-17 20:43 36,224 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2007-09-17 20:43 36,224 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-09-16 18:59 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-09-16 18:58 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-09-16 18:56 171,008 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys
2007-08-25 15:47 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-25 15:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 16:21 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-23 08:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-23 08:38 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-23 08:38 123952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-23 08:38 10676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-23 08:38 --------- d-------- C:\Program Files\Symantec
2007-09-22 08:40 --------- d-------- C:\Program Files\Public Talks
2007-09-22 00:07 --------- d-------- C:\Program Files\Tomb Raider - Anniversary
2007-09-18 14:44 1430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44 1421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44 1415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44 10658 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-16 18:59 --------- d-------- C:\Program Files\QuickTime
2007-08-26 20:03 --------- d-------- C:\Program Files\Best Buy Rhapsody
2007-08-26 19:57 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-25 23:17 --------- d-------- C:\Program Files\Common Files\Real
2007-08-25 08:03 --------- d-------- C:\Program Files\MSWorks
2007-08-13 13:49 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-12 17:18 --------- d-------- C:\Program Files\Google
2007-08-07 21:09 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-08-07 18:20 --------- d-------- C:\Program Files\Watchtower
2007-08-07 07:27 --------- d-------- C:\Program Files\EA GAMES
2007-08-07 06:31 --------- d-------- C:\Program Files\Norton Internet Security
2007-08-06 22:53 --------- d-------- C:\Program Files\AWS
2007-08-06 22:53 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\interMute
2007-08-06 22:40 --------- d-------- C:\Program Files\Easy Internet signup
2007-08-06 20:31 4546 -rahs---- C:\WINDOWS\system32\drivers\HP_D7219P-ABA A250Y_YW_Pavi_QMXP334_E33NAprBLG2_4_I P4SD-LA _SASUSTeK Computer INC._VRev 1.xx_B3.10_T030627_WXP1_L409_M1024_J123_7Intel_8Pentium 4_92.6_1104C8023_N10EC8139_P_Z11C1044C_K_A11020004_U808624D2_G10DE0322_O.MRK
2007-08-06 20:30 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-06 20:25 --------- d-------- C:\Program Files\Creative
2007-08-06 17:06 --------- d-------- C:\Program Files\InfoRad Wireless
2007-08-05 09:26 --------- d-------- C:\Program Files\PopCap Games
2007-08-05 08:39 --------- d-------- C:\Program Files\THQ
2007-08-05 08:36 --------- d-------- C:\Program Files\Microsoft Games
2007-08-05 08:34 --------- d-------- C:\Program Files\Electronic Arts
2007-07-30 20:44 --------- d-------- C:\Program Files\Sandisk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 20:11]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 00:23]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 20:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 11:01]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 21:44]
"nwiz"="nwiz.exe" [2003-03-03 21:44 C:\WINDOWS\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 23:35 C:\WINDOWS\ALCXMNTR.EXE]
"CTHelper"="CTHELPER.EXE" [2003-01-09 03:39 C:\WINDOWS\system32\cthelper.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 15:49]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-11-14 11:08]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 15:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2004-03-10 15:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-16 18:59]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-13 07:02]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [2007-09-10 09:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 01:08]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 20:48]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE
"PlayCenter2"="C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2"

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
WinCinema Manager.lnk - C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-07-30 20:44:30]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-01-24 08:14:00]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00]
Logitech SetPoint.lnk - C:\found.000\dir0054.chk\SetPoint\KEM.exe [2005-08-10 21:22:05]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 22:20:02]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-24 00:53:23]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 19:48:26]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 10:11:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\System32\DRIVERS\dne2000.sys
R3 Dot4 HPH11;Dot4 HPH11;C:\WINDOWS\System32\DRIVERS\hphid411.sys
R3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11;C:\WINDOWS\System32\DRIVERS\hphipr11.sys
R3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11);C:\WINDOWS\System32\Drivers\hphs2k11.sys
R3 Dot4Usb HPH11;Dot4Usb HPH11;C:\WINDOWS\System32\drivers\hphius11.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\System32\DRIVERS\CVirtA.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 23:08:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-24 10:10:00 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2007-09-24 10:30:22 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
"2007-09-23 12:54:10 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2007-09-23 12:54:11 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2007-09-21 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 06:29:02
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-24 6:32:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-24 06:31
.
--- E O F —

**r_montgomery** · 2007-09-24, 13:07

Steam,

Here is the final log you requested. I'm curious to know your thoughts on what happened and what problem(s) I had. Thanks again.

Rick

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:42 AM, on 9/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\found.000\dir0054.chk\SetPoint\KEM.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [PlayCenter2] "C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\found.000\dir0054.chk\SetPoint\KEM.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187527391625
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9321 bytes

**steamwiz** · 2007-09-24, 21:46

HI

Originally Posted by r_montgomery

PS - I got very low on hard drive space the other day, and I wondered if that caused my control panel problem, or if was really the virus that arrived at about the same time...

For windows to work correctly, it needs at least 15% free space expand/open/move files etc, so being low on hard drive space would not help anything, however it had no connection to the Control Panel problem, which was a registry key disabling the Control Panel, & various other registry keys ...

Your logs look fine now, but I would still like you to do this please ...

1. Reboot into >>>safe mode
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here...

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm

steam

Thread: Windows Security Alert - Every 5 minutes

Thread Tools

Display

Windows Security Alert - Every 5 minutes

Thank you!!!

ComboFix log

HiJackThis log file

Posting Permissions