PDA

View Full Version : "Ultimate Defender"


newenglandhiker
2007-12-18, 20:19
I've got Ultimate Defender on my poor machine!

1. I've run spybot in Windows Safe mode twice and eliminated all red notices, getting to "Congrats, no immediate threat found". Rebooted in normal Windows. Two red items which initially appeared during the spybot runs, and which no longer show up there, are: <vario.antivirus> & <virtumonde.crack>.

2. Tried to run Kapersky, but could not get it to run; failed twice.

3. Ran Hijackthis and got following log read out at conclusion:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:42 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Telephony Toolbar Services - {431A60E6-675F-4b9f-B3F0-66E0FECC8B34} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Telephony Toolbar Call Control - {8F1FF1A7-C048-4d6b-B052-56E42CE427CB} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O3 - Toolbar: Telephony Toolbar Call Control - {6F6690B9-C5DB-4F08-8833-F2EF4DEE956B} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Services - {F10D927F-D3DF-4734-98AB-DD258253F5FD} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: findfast.exe
O4 - Startup: infos.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bullhorn.com
O15 - Trusted Zone: *.bullhornstaffing.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172103904203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172106586828
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6DC776D-9457-4AD2-8C51-02864FE417DD}: NameServer = 66.28.0.45,66.26.0.61
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\..\svchost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7226 bytes

4. Did not do/fix anything with Hijackthis other than copy the log as it appears above.

5. The Ultimate Defender pop-ups are still coming fast and furious!

6. I'm not the most computer savvy guy in the world...any help would be gratefully appreciated.
km2357
2007-12-18, 20:52
Hello and welcome to Safer Networking Forums.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

Since I am still in training, I have to let experts check the content of my fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
newenglandhiker
2007-12-18, 20:55
Thanks for your help and thanks for taking the time to learn how to help the likes of me...
km2357
2007-12-19, 21:19
Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:

1)Antivir PersonalEdition Classic (http://www.free-av.com/)
2)avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1)

Download and install only one!

Once you downloaded and installed the AV of your choice, run a scan with it and have it delete anything it finds.

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.



Step # 2: Download and Run ComboFix

Download this file from either of the three places listed below and save it to your Desktop:


http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Step # 3: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

1. ComboFix Log (C:\ComboFix.txt)
2. A fresh HiJackThis Log
3. Uninstall List

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
newenglandhiker
2007-12-21, 19:12
Per your instructions, I have done the following:

1. Installed Avast!4Home 4.7;
2. Performed a "Thorough" scan on my machine with Avast!4Home; removed all infected items to the chest, per program suggestions;
3. Disabled Teatimer;
4. Downloaded & ran ComboFix; had no problems running same. Copy of log to follow;
5. Made HJT Uninstall List. Copy of list to follow;
6. Ran HJT and produced new log. Copy of log to follow.

I. ComboFix log:

ComboFix 07-12-21.4 - user 2007-12-21 10:25:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.exe
C:\Autorun.inf
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\user\Application Data\ultra
C:\Documents and Settings\user\Application Data\ultra\uninstall.bat
C:\Documents and Settings\user\Start Menu\Programs\Startup\infos.exe
C:\Program Files\spysheriff
C:\Program Files\spysheriff\base.avd
C:\Program Files\spysheriff\base001.avd
C:\Program Files\spysheriff\base002.avd
C:\Program Files\spysheriff\found.wav
C:\Program Files\spysheriff\notfound.wav
C:\Program Files\spysheriff\removed.wav
C:\Program Files\spysheriff\SpySheriff.dvm
C:\Program Files\spysheriff\SpySheriff.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\1033\1033.exe
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\GC21D.tmp.exe
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\restore\restore.exe
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\windows.exe
C:\winstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DRIVER
-------\LEGACY_MSUPDATE
-------\Driver
-------\msupdate


((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-20 09:01 . 2007-12-20 09:01 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-20 09:01 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-20 09:01 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-20 09:01 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-20 09:01 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-20 09:01 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-20 09:01 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-20 09:01 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-20 09:01 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-18 13:50 . 2007-12-18 13:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-18 12:01 . 2007-12-18 12:01 11,776 --a------ C:\WINDOWS\wsystmp_mmr.exe
2007-12-17 16:12 . 2007-12-17 16:12 396,288 --a------ C:\HijackThis.exe
2007-12-17 13:05 . 2007-12-18 12:45 415 --a------ C:\WINDOWS\wininit.ini
2007-12-17 11:21 . 2007-12-17 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 10:45 . 2007-12-17 10:12 89,088 ---h----- C:\WINDOWS\system32\drivers\drivers.exe
2007-12-17 10:45 . 2007-12-17 10:12 89,088 ---h----- C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
2007-12-17 10:43 . 2007-12-07 11:43 152,388 --a------ C:\WINDOWS\hplj1320.hi1
2007-12-17 10:43 . 2007-12-07 11:43 13,271 --a------ C:\WINDOWS\hplj1320.bu1
2007-12-17 10:37 . 2007-12-17 10:12 89,088 ---h----- C:\WINDOWS\system\system.exe
2007-12-17 10:16 . 2007-12-17 10:12 89,088 ---h----- C:\temp\temp.exe
2007-12-17 10:14 . 2007-12-17 10:12 89,088 ---h----- C:\Documents and Settings\user\user.exe
2007-12-17 10:14 . 2007-12-17 10:12 89,088 ---h----- C:\Documents and Settings\All Users\All Users.exe
2007-12-17 10:14 . 2007-12-17 10:14 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-17 10:13 . 2007-12-17 10:13 29,184 --a------ C:\WINDOWS\wsystmp_jdk.exe
2007-12-17 10:12 . 2007-12-17 10:12 89,088 --a------ C:\WINDOWS\wsystmp_liv.exe
2007-12-17 10:12 . 2007-12-17 10:12 89,088 ---hs---- C:\WINDOWS\system32\winsn.exe
2007-12-17 10:12 . 2007-12-17 10:12 89,088 ---hs---- C:\WINDOWS\system32\shovth.exe
2007-12-17 10:12 . 2007-12-17 10:12 89,088 ---hs---- C:\F83496D5.exe
2007-12-17 10:12 . 2007-12-21 10:12 28,929 --a------ C:\WINDOWS\system32\winsos.exe
2007-12-17 10:02 . 2007-12-17 10:02 15,872 --a------ C:\WINDOWS\windisk.dll
2007-12-17 09:44 . 2007-12-17 09:44 28,929 --a------ C:\WINDOWS\trayicons.exe
2007-12-07 11:43 . 2007-12-07 11:43 <DIR> d-------- C:\WINDOWS\Hewlett-Packard
2007-12-07 11:42 . 2003-06-16 16:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-12-07 11:42 . 2003-07-02 13:15 61,440 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-12-07 11:42 . 2004-03-25 17:30 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-12-07 11:42 . 2003-06-20 12:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-12-07 11:41 . 2007-12-07 11:42 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-12-07 11:39 . 2004-05-21 04:44 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-12-07 09:27 . 2007-12-07 09:27 103 --a------ C:\WINDOWS\system32\hptrace.ini
2007-12-07 09:26 . 2007-12-07 09:26 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-12-07 09:26 . 2007-12-17 10:43 1,788 --a------ C:\WINDOWS\hplj1320.his
2007-12-07 09:26 . 2007-12-17 10:43 356 --a------ C:\WINDOWS\hplj1320.ini
2007-12-07 03:00 . 2007-12-07 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 12:41 . 2007-12-06 12:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\BroadSoft
2007-12-06 12:31 . 2007-12-06 12:31 <DIR> d-------- C:\Program Files\Speakeasy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 20:57 --------- d-----w C:\Program Files\Google
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Database\Database.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Config\News\News.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Config\Config.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\binaries\binaries.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Media\Media.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\WindowsMediaPlayer.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\Video.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Scr\Scr.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\WMarks.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Img.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\Btn.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Css\Css.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\Cnt.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\Wav.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Audio.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\mmTour\mmTour.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Tours\htmlTour\htmlTour.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Help\Help.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Cursors\Cursors.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\AppPatch\AppPatch.exe
2007-12-07 16:42 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-26 21:01 --------- d-----w C:\Documents and Settings\user\Application Data\Logitech
2007-10-26 21:00 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-10-26 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 21:00 --------- d-----w C:\Program Files\Logitech
2007-10-26 21:00 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-10-26 20:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-26 20:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-10-26 20:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2007-10-26 20:58 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-26 20:57 --------- d-----w C:\Documents and Settings\user\Application Data\InstallShield
2007-10-26 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-26 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-10-26 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-08-17 14:11 63,656 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-07-12 19:25 60,968 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{431A60E6-675F-4b9f-B3F0-66E0FECC8B34}]
2007-02-05 10:27 634880 --a------ C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 12:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 12:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 12:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 C:\WINDOWS\KHALMNPR.Exe]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 10:10]
"sis32"="C:\WINDOWS\system32\winsos.exe" [2007-12-21 10:33]
"winroot"="C:\WINDOWS\system32\winsn.exe" [2007-12-17 10:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-10-26 16:00:21]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-26 15:57:49]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 10:32:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\windisk.dll
.
Completion time: 2007-12-21 10:35:08 - machine was rebooted
.
2007-12-12 08:03:03 --- E O F ---


II. HJT Uninstall List:

Abacast Client
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
avast! Antivirus
CDDRV_Installer
Dell ResourceCD
Google Earth
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 4.7
HP Image Zone Express
hp LaserJet 1160/1320 series
HP PSC & OfficeJet 4.7
HP Software Update
HP Update
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
KhalInstallWrapper
Logitech Desktop Messenger
Logitech Registration
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)




---Balance to follow on next reply---
newenglandhiker
2007-12-21, 19:17
--- Continued from preceding message ---

III. Fresh HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:45 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Telephony Toolbar Services - {431A60E6-675F-4b9f-B3F0-66E0FECC8B34} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Telephony Toolbar Call Control - {8F1FF1A7-C048-4d6b-B052-56E42CE427CB} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Call Control - {6F6690B9-C5DB-4F08-8833-F2EF4DEE956B} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Services - {F10D927F-D3DF-4734-98AB-DD258253F5FD} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bullhorn.com
O15 - Trusted Zone: *.bullhornstaffing.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172103904203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172106586828
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6DC776D-9457-4AD2-8C51-02864FE417DD}: NameServer = 66.28.0.45,66.26.0.61
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6863 bytes



km2357, your instructions were clear and very easy to understand. Nice job, especially with a novice like myself. things are much quieter now; no pop-ups, no doom filled messages...Next step?
km2357
2007-12-22, 01:35
It looks like your Uninstall List may have been cut short. Are there any programs in your Uninstall List (Add/Remove Programs) after Security Update for Windows Media Player 9 (KB917734)? If there are can you post the rest of them for me to go over.



Step # 1 Remove Logitech Desktop Messenger

You appear to have a program on your system called Logitech® Desktop Messenger. This is a background process that can automatically access the Internet without your knowledge or permission. Although it does provide updates for your Logitech products, the fact that it can access the Internet without your consent is potentially dangerous. It does download and update your Logitech products but this can be done manually by visiting the Logitech web site. My advice would be to uninstall this program (Start > Control Panel > Add or Remove Programs) but this is entirely your decision. I suggest doing all updates yourself and removing this application!



Step # 2 Upload Files


Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\PMLJNI.dll
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
C:\Documents and Settings\user\GoToAssistDownloadHelper.exe

If Jotti is busy, try scanning the above files at VirusTotal (http://www.virustotal.com/en/indexf.html)


Step # 3: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.



Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::

C:\WINDOWS\wsystmp_mmr.exe
C:\WINDOWS\system32\drivers\drivers.exe
C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
C:\WINDOWS\system\system.exe
C:\temp\temp.exe
C:\Documents and Settings\user\user.exe
C:\Documents and Settings\All Users\All Users.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\wsystmp_jdk.exe
C:\WINDOWS\wsystmp_liv.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\shovth.exe
C:\F83496D5.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\trayicons.exe
C:\WINDOWS\pchealth\helpctr\Database\Database.exe
C:\WINDOWS\pchealth\helpctr\Config\News\News.exe
C:\WINDOWS\pchealth\helpctr\Config\Config.exe
C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache.exe
C:\WINDOWS\pchealth\helpctr\binaries\binaries.exe
C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps.exe
C:\WINDOWS\Media\Media.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\WindowsMediaPlayer.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\Video.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Scr\Scr.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\WMarks.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Img.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\Btn.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Css\Css.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\Cnt.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\Wav.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Audio.exe
C:\WINDOWS\Help\Tours\mmTour\mmTour.exe
C:\WINDOWS\Help\Tours\htmlTour\htmlTour.exe
C:\WINDOWS\Help\Help.exe
C:\WINDOWS\Cursors\Cursors.exe
C:\WINDOWS\AppPatch\AppPatch.exe

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sis32"=-
"winroot"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

1. Answer to my question about Uninstall List
2. Jotti (or VirusTotal) Results
3. ComboFix Log (C:\ComboFix.txt)
4. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
newenglandhiker
2007-12-24, 16:13
You are correct. I cut short the copy of my Uninstall List, so here is the entire List:

II. HJT Uninstall List, Second Try

Abacast Client
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
avast! Antivirus
CDDRV_Installer
Dell ResourceCD
Google Earth
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 4.7
HP Image Zone Express
hp LaserJet 1160/1320 series
HP PSC & OfficeJet 4.7
HP Software Update
HP Update
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
KhalInstallWrapper
Logitech Desktop Messenger
Logitech Registration
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Speakeasy VoIP Communications Toolbar 14.0.45.1 MB2
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URGE
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781


I will be doing the balance of what you requested over the course of today (December 24) and Wednesday (December 26) and then posting the results on Wednesday morning. Thank you again for all your help.

Merry Christmas, if you celebrate it!
newenglandhiker
2007-12-26, 22:35
Per your instructions, I have completed the following steps:

a.) Previously posted on 24Dec07 a new (complete) copy of the Uninstall List;
b.) Removed "Logitech Desktop Messenger" from my machine. Could there be a similar program for H-P products?;
c.) Did three Jotti runs. Results to follow.
d.) Followed instructions re: ComboFix and let ComboFix do its thing. Log to follow. Note: when ComboFix was starting up, the following message appeared on my desktop: "The contents of folder C:\qoobox\Hiv-backup could not be completely deleted." I pressed the "OK" button and ComboFix started up and ran without incident.
e. Ran HJT. Log to follow.
_ _ _ _ _
I. Three Jotti runs

A. First Jotti Run
Service load: 0% 100%
File: PMLJNI.dll
Status: OK
MD5: 31d71c0d29b867acbf73149ff3dd140a
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 26 Dec 2007 20:29:00 (GMT)
A-Squared Found nothing
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

B. Second Jotti Run
Service load: 0% 100%
File: bwUnin-8.1.1.50-8876480SL.exe
Status: OK
MD5: 21007bd289539a3ca0d0f3653dc11258
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 26 Dec 2007 20:33:45 (GMT)
A-Squared Found nothing
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C. Third Jotti Run
Service load: 0% 100%
File: GoToAssistDownloadHelper.exe
Status: OK
MD5: cda6637a57252d38ec92ad0016c63585
Packers detected: PE_PATCH.UPX
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 26 Dec 2007 20:36:32 (GMT)
A-Squared Found nothing
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

II. ComboFix Log

ComboFix 07-12-21.4 - user 2007-12-26 15:52:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.163 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\All Users.exe
C:\Documents and Settings\user\user.exe
C:\F83496D5.exe
C:\temp\temp.exe
C:\WINDOWS\AppPatch\AppPatch.exe
C:\WINDOWS\Cursors\Cursors.exe
C:\WINDOWS\Help\Help.exe
C:\WINDOWS\Help\Tours\htmlTour\htmlTour.exe
C:\WINDOWS\Help\Tours\mmTour\mmTour.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Audio.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\Wav.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\Cnt.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Css\Css.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\Btn.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Img.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\WMarks.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Scr\Scr.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\Video.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\WindowsMediaPlayer.exe
C:\WINDOWS\Media\Media.exe
C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps.exe
C:\WINDOWS\pchealth\helpctr\binaries\binaries.exe
C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache.exe
C:\WINDOWS\pchealth\helpctr\Config\Config.exe
C:\WINDOWS\pchealth\helpctr\Config\News\News.exe
C:\WINDOWS\pchealth\helpctr\Database\Database.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\drivers.exe
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\wsystmp_jdk.exe
C:\WINDOWS\wsystmp_liv.exe
C:\WINDOWS\wsystmp_mmr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.exe
C:\Autorun.inf
C:\Documents and Settings\All Users\All Users.exe
C:\Documents and Settings\user\user.exe
C:\F83496D5.exe
C:\temp\temp.exe
C:\WINDOWS\AppPatch\AppPatch.exe
C:\WINDOWS\Cursors\Cursors.exe
C:\WINDOWS\Help\Help.exe
C:\WINDOWS\Help\Tours\htmlTour\htmlTour.exe
C:\WINDOWS\Help\Tours\mmTour\mmTour.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Audio.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\Wav.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\Cnt.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Css\Css.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\Btn.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Img.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\WMarks.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Scr\Scr.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\Video.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\WindowsMediaPlayer.exe
C:\WINDOWS\Media\Media.exe
C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps.exe
C:\WINDOWS\pchealth\helpctr\binaries\binaries.exe
C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache.exe
C:\WINDOWS\pchealth\helpctr\Config\Config.exe
C:\WINDOWS\pchealth\helpctr\Config\News\News.exe
C:\WINDOWS\pchealth\helpctr\Database\Database.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system32\1033\1033.exe
C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\drivers.exe
C:\WINDOWS\system32\restore\restore.exe
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\windows.exe
C:\WINDOWS\wsystmp_jdk.exe
C:\WINDOWS\wsystmp_liv.exe
C:\WINDOWS\wsystmp_mmr.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-21 11:14 . 2007-12-21 11:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 09:01 . 2007-12-20 09:01 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-20 09:01 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-20 09:01 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-20 09:01 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-20 09:01 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-20 09:01 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-20 09:01 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-20 09:01 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-20 09:01 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-18 13:50 . 2007-12-18 13:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-17 16:12 . 2007-12-17 16:12 396,288 --a------ C:\HijackThis.exe
2007-12-17 13:05 . 2007-12-18 12:45 415 --a------ C:\WINDOWS\wininit.ini
2007-12-17 11:21 . 2007-12-17 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 10:43 . 2007-12-07 11:43 152,388 --a------ C:\WINDOWS\hplj1320.hi1
2007-12-17 10:43 . 2007-12-07 11:43 13,271 --a------ C:\WINDOWS\hplj1320.bu1
2007-12-07 11:43 . 2007-12-07 11:43 <DIR> d-------- C:\WINDOWS\Hewlett-Packard
2007-12-07 11:42 . 2003-06-16 16:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-12-07 11:42 . 2003-07-02 13:15 61,440 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-12-07 11:42 . 2004-03-25 17:30 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-12-07 11:42 . 2003-06-20 12:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-12-07 11:41 . 2007-12-07 11:42 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-12-07 11:39 . 2004-05-21 04:44 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-12-07 09:27 . 2007-12-07 09:27 103 --a------ C:\WINDOWS\system32\hptrace.ini
2007-12-07 09:26 . 2007-12-07 09:26 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-12-07 09:26 . 2007-12-17 10:43 1,788 --a------ C:\WINDOWS\hplj1320.his
2007-12-07 09:26 . 2007-12-17 10:43 356 --a------ C:\WINDOWS\hplj1320.ini
2007-12-07 03:00 . 2007-12-07 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 12:41 . 2007-12-06 12:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\BroadSoft
2007-12-06 12:31 . 2007-12-06 12:31 <DIR> d-------- C:\Program Files\Speakeasy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 20:25 --------- d-----w C:\Program Files\Logitech
2007-12-20 20:57 --------- d-----w C:\Program Files\Google
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\srchasst\srchasst.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\srchasst\mui\0409\0409.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\srchasst\chars\chars.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\Registration\Registration.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\UploadLB\Config\Config.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\UploadLB\Binaries\Binaries.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Remote Assistance.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\Unsolicited.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\Email.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Common.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\Css.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\Common.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System_OEM\XMLs\XMLs.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System_OEM\images\images.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\UpdateCtr.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\System.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfo.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\graphics.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\47x24pie.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\33x16pie.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\scripts\scripts.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Remote Assistance.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Server.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Common.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Client.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\Css.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\Common.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\rc\rc.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\subpanels.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\panels\panels.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\NetDiag\NetDiag.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\images\images.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\images\Expando\Expando.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\images\Centers\Centers.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\images\48x48\48x48.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\images\32x32\32x32.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\images\24x24\24x24.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\images\16x16\16x16.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\errors\errors.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrMsg.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\DVDUpgrd.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\dialogs\dialogs.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\css\css.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatCtr.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\System\blurbs\blurbs.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\Professional_32#0409.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\OfflineCache\OfflineCache.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Logs\Logs.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\Indices\Indices.exe
2007-12-17 15:12 89,088 ---h--w C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe
2007-12-07 16:42 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-26 21:01 --------- d-----w C:\Documents and Settings\user\Application Data\Logitech
2007-10-26 21:00 127,034 ------w C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-10-26 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 21:00 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-10-26 20:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-26 20:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-10-26 20:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2007-10-26 20:58 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-26 20:57 --------- d-----w C:\Documents and Settings\user\Application Data\InstallShield
2007-10-26 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-26 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-10-26 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-08-17 14:11 63,656 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-07-12 19:25 60,968 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{431A60E6-675F-4b9f-B3F0-66E0FECC8B34}]
2007-02-05 10:27 634880 --a------ C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 12:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 12:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 12:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 C:\WINDOWS\KHALMNPR.Exe]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 10:10]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-26 15:57:49]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 15:54:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 15:55:31
C:\ComboFix2.txt ... 2007-12-21 10:35
.
2007-12-12 08:03:03 --- E O F ---


- - - Balance to follow in next posting - - -
newenglandhiker
2007-12-26, 22:37
- - - Continued from last post - - -

III. New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:41 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_SP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Telephony Toolbar Services - {431A60E6-675F-4b9f-B3F0-66E0FECC8B34} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Telephony Toolbar Call Control - {8F1FF1A7-C048-4d6b-B052-56E42CE427CB} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Call Control - {6F6690B9-C5DB-4F08-8833-F2EF4DEE956B} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Services - {F10D927F-D3DF-4734-98AB-DD258253F5FD} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Dial - C:\Program Files\Speakeasy\VoIP Communications Toolbar\conf\dialIE.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bullhorn.com
O15 - Trusted Zone: *.bullhornstaffing.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172103904203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172106586828
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6DC776D-9457-4AD2-8C51-02864FE417DD}: NameServer = 66.28.0.45,66.26.0.61
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6567 bytes


My machine is still quiet, with no pop-ups or any messages exhorting me to buy software...
km2357
2007-12-27, 05:26
b.) Removed "Logitech Desktop Messenger" from my machine. Could there be a similar program for H-P products?


Sorry, I don't know of any HP products that are similar to Logitech Desktop Messenger.





Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.



Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::

C:\WINDOWS\srchasst\srchasst.exe
C:\WINDOWS\srchasst\mui\0409\0409.exe
C:\WINDOWS\srchasst\chars\chars.exe
C:\WINDOWS\Registration\Registration.exe
C:\WINDOWS\pchealth\UploadLB\Config\Config.exe
C:\WINDOWS\pchealth\UploadLB\Binaries\Binaries.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\Unsolicited.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\Email.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\XMLs\XMLs.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\UpdateCtr.exe
C:\WINDOWS\pchealth\helpctr\System\System.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfo.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\graphics.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\47x24pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\33x16pie.exe
C:\WINDOWS\pchealth\helpctr\System\scripts\scripts.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Server.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Client.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\rc\rc.exe
C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\subpanels.exe
C:\WINDOWS\pchealth\helpctr\System\panels\panels.exe
C:\WINDOWS\pchealth\helpctr\System\NetDiag\NetDiag.exe
C:\WINDOWS\pchealth\helpctr\System\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\images\Expando\Expando.exe
C:\WINDOWS\pchealth\helpctr\System\images\Centers\Centers.exe
C:\WINDOWS\pchealth\helpctr\System\images\48x48\48x48.exe
C:\WINDOWS\pchealth\helpctr\System\images\32x32\32x32.exe
C:\WINDOWS\pchealth\helpctr\System\images\24x24\24x24.exe
C:\WINDOWS\pchealth\helpctr\System\images\16x16\16x16.exe
C:\WINDOWS\pchealth\helpctr\System\errors\errors.exe
C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrMsg.exe
C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\DVDUpgrd.exe
C:\WINDOWS\pchealth\helpctr\System\dialogs\dialogs.exe
C:\WINDOWS\pchealth\helpctr\System\css\css.exe
C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatCtr.exe
C:\WINDOWS\pchealth\helpctr\System\blurbs\blurbs.exe
C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\Professional_32#0409.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\OfflineCache.exe
C:\WINDOWS\pchealth\helpctr\Logs\Logs.exe
C:\WINDOWS\pchealth\helpctr\Indices\Indices.exe
C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step # 2 Post Logs

In your next post/reply, I'd like to see the following:

1. ComboFix Log (C:\ComboFix.txt)
2. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
newenglandhiker
2007-12-27, 15:22
Per your instructions:
I. ComboFix Log, 27Dec07 (after throwing out old ComboFix & downloading new one)
ComboFix 07-12-21.4 - user 2007-12-27 8:47:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.218 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe
C:\WINDOWS\pchealth\helpctr\Indices\Indices.exe
C:\WINDOWS\pchealth\helpctr\Logs\Logs.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\OfflineCache.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\Professional_32#0409.exe
C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe
C:\WINDOWS\pchealth\helpctr\System\blurbs\blurbs.exe
C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatCtr.exe
C:\WINDOWS\pchealth\helpctr\System\css\css.exe
C:\WINDOWS\pchealth\helpctr\System\dialogs\dialogs.exe
C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\DVDUpgrd.exe
C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrMsg.exe
C:\WINDOWS\pchealth\helpctr\System\errors\errors.exe
C:\WINDOWS\pchealth\helpctr\System\images\16x16\16x16.exe
C:\WINDOWS\pchealth\helpctr\System\images\24x24\24x24.exe
C:\WINDOWS\pchealth\helpctr\System\images\32x32\32x32.exe
C:\WINDOWS\pchealth\helpctr\System\images\48x48\48x48.exe
C:\WINDOWS\pchealth\helpctr\System\images\Centers\Centers.exe
C:\WINDOWS\pchealth\helpctr\System\images\Expando\Expando.exe
C:\WINDOWS\pchealth\helpctr\System\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\NetDiag\NetDiag.exe
C:\WINDOWS\pchealth\helpctr\System\panels\panels.exe
C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\subpanels.exe
C:\WINDOWS\pchealth\helpctr\System\rc\rc.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Client.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Server.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\System\scripts\scripts.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\33x16pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\47x24pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\graphics.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfo.exe
C:\WINDOWS\pchealth\helpctr\System\System.exe
C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\UpdateCtr.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\images\images.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\XMLs\XMLs.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\Email.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\Unsolicited.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\UploadLB\Binaries\Binaries.exe
C:\WINDOWS\pchealth\UploadLB\Config\Config.exe
C:\WINDOWS\Registration\Registration.exe
C:\WINDOWS\srchasst\chars\chars.exe
C:\WINDOWS\srchasst\mui\0409\0409.exe
C:\WINDOWS\srchasst\srchasst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe
C:\WINDOWS\pchealth\helpctr\Indices\Indices.exe
C:\WINDOWS\pchealth\helpctr\Logs\Logs.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\OfflineCache.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\Professional_32#0409.exe
C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe
C:\WINDOWS\pchealth\helpctr\System\blurbs\blurbs.exe
C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatCtr.exe
C:\WINDOWS\pchealth\helpctr\System\css\css.exe
C:\WINDOWS\pchealth\helpctr\System\dialogs\dialogs.exe
C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\DVDUpgrd.exe
C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrMsg.exe
C:\WINDOWS\pchealth\helpctr\System\errors\errors.exe
C:\WINDOWS\pchealth\helpctr\System\images\16x16\16x16.exe
C:\WINDOWS\pchealth\helpctr\System\images\24x24\24x24.exe
C:\WINDOWS\pchealth\helpctr\System\images\32x32\32x32.exe
C:\WINDOWS\pchealth\helpctr\System\images\48x48\48x48.exe
C:\WINDOWS\pchealth\helpctr\System\images\Centers\Centers.exe
C:\WINDOWS\pchealth\helpctr\System\images\Expando\Expando.exe
C:\WINDOWS\pchealth\helpctr\System\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\NetDiag\NetDiag.exe
C:\WINDOWS\pchealth\helpctr\System\panels\panels.exe
C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\subpanels.exe
C:\WINDOWS\pchealth\helpctr\System\rc\rc.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Client.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Server.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\System\scripts\scripts.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\33x16pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\47x24pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\graphics.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfo.exe
C:\WINDOWS\pchealth\helpctr\System\System.exe
C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\UpdateCtr.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\images\images.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\XMLs\XMLs.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\Email.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\Unsolicited.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\UploadLB\Binaries\Binaries.exe
C:\WINDOWS\pchealth\UploadLB\Config\Config.exe
C:\WINDOWS\Registration\Registration.exe
C:\WINDOWS\srchasst\chars\chars.exe
C:\WINDOWS\srchasst\mui\0409\0409.exe
C:\WINDOWS\srchasst\srchasst.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-21 11:14 . 2007-12-21 11:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 09:01 . 2007-12-20 09:01 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-20 09:01 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-20 09:01 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-20 09:01 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-20 09:01 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-20 09:01 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-20 09:01 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-20 09:01 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-20 09:01 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-18 13:50 . 2007-12-18 13:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-17 16:12 . 2007-12-17 16:12 396,288 --a------ C:\HijackThis.exe
2007-12-17 13:05 . 2007-12-18 12:45 415 --a------ C:\WINDOWS\wininit.ini
2007-12-17 11:21 . 2007-12-17 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 10:43 . 2007-12-07 11:43 152,388 --a------ C:\WINDOWS\hplj1320.hi1
2007-12-17 10:43 . 2007-12-07 11:43 13,271 --a------ C:\WINDOWS\hplj1320.bu1
2007-12-07 11:43 . 2007-12-07 11:43 <DIR> d-------- C:\WINDOWS\Hewlett-Packard
2007-12-07 11:42 . 2003-06-16 16:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-12-07 11:42 . 2003-07-02 13:15 61,440 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-12-07 11:42 . 2004-03-25 17:30 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-12-07 11:42 . 2003-06-20 12:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-12-07 11:41 . 2007-12-07 11:42 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-12-07 11:39 . 2004-05-21 04:44 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-12-07 09:27 . 2007-12-07 09:27 103 --a------ C:\WINDOWS\system32\hptrace.ini
2007-12-07 09:26 . 2007-12-07 09:26 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-12-07 09:26 . 2007-12-17 10:43 1,788 --a------ C:\WINDOWS\hplj1320.his
2007-12-07 09:26 . 2007-12-17 10:43 356 --a------ C:\WINDOWS\hplj1320.ini
2007-12-07 03:00 . 2007-12-07 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 12:41 . 2007-12-06 12:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\BroadSoft
2007-12-06 12:31 . 2007-12-06 12:31 <DIR> d-------- C:\Program Files\Speakeasy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 20:25 --------- d-----w C:\Program Files\Logitech
2007-12-20 20:57 --------- d-----w C:\Program Files\Google
2007-12-07 16:42 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-08-17 14:11 63,656 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-07-12 19:25 60,968 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{431A60E6-675F-4b9f-B3F0-66E0FECC8B34}]
2007-02-05 10:27 634880 --a------ C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 12:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 12:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 12:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 C:\WINDOWS\KHALMNPR.Exe]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 10:10]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-26 15:57:49]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 08:49:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 8:50:22
C:\ComboFix2.txt ... 2007-12-26 15:55
C:\ComboFix3.txt ... 2007-12-21 10:35
.
2007-12-12 08:03:03 --- E O F ---



- - - Balance to follow in next post - - -
newenglandhiker
2007-12-27, 15:28
- - - Continued from previous post - - -

II. HJT Log, 27Dec07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:19 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_SP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Telephony Toolbar Services - {431A60E6-675F-4b9f-B3F0-66E0FECC8B34} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Telephony Toolbar Call Control - {8F1FF1A7-C048-4d6b-B052-56E42CE427CB} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Call Control - {6F6690B9-C5DB-4F08-8833-F2EF4DEE956B} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Services - {F10D927F-D3DF-4734-98AB-DD258253F5FD} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Dial - C:\Program Files\Speakeasy\VoIP Communications Toolbar\conf\dialIE.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bullhorn.com
O15 - Trusted Zone: *.bullhornstaffing.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172103904203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172106586828
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6DC776D-9457-4AD2-8C51-02864FE417DD}: NameServer = 66.28.0.45,66.26.0.61
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6567 bytes



Question: The last few times I've started my machine I have been getting the following message: "Windows Firewall has blocked some features of his program. Name: javaw Publisher: unknown." It looks like something out of a Java program, but I'm so paranoid right now I hit "keep blocking" each time and kept it from opening. Is this item actually OK?

- - - End of post - - -
km2357
2007-12-28, 01:59
Question: The last few times I've started my machine I have been getting the following message: "Windows Firewall has blocked some features of his program. Name: javaw Publisher: unknown." It looks like something out of a Java program, but I'm so paranoid right now I hit "keep blocking" each time and kept it from opening. Is this item actually OK?

Javaw is Sun Java's executable and is ok. You can click Unblock the next time the Security Alert windows shows up.



Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.



Step # 1 Remove old versions of Java

While you have the latest version of Java installed, older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

J2SE Runtime Environment 5.0 Update 11

Java(TM) SE Runtime Environment 6 Update 1

Java(TM) 6 Update 2



Step # 2 Download AVG Anti-Spyware

Download the trial version of AVG Anti-Spyware from here (http://free.grisoft.com/filedir/inst/avgas-setup-7.5.1.43.exe) and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
Click the Update icon at the top and under Manual Update click the Start update button.
The program will either update or inform you that no update was available.
It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (http://downloads.ewido.net/avgas-signatures-full-current.exe) (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database). Please set up the program as follows:
Click the Shield icon at the top and under Resident shield is... click active. This should now
change to inactive.
Click the Update icon and untick the automatic update option.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act? - make sure that Quarantine is selected.
Under How to scan? - All checkboxes should be ticked.
Under Possibly unwanted software - All checkboxes should be ticked.
Under Reports - Select Do not automatically generate reports.
Under What to scan? - Select Scan every file. Close all open windows.
Do not run a scan yet.



Step # 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 4: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.



Step # 5 Run AVG Anti-Spyware

Click on Scanner on the toolbar.
Click on Complete System Scan to start the scan process.
Let the program scan your computer.
When the scan has finished, follow the instructions below:
Make sure that Set all elements to: shows Quarantine
Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
When the program has finished, it will display the message All actions have been applied.
Then click the Save Scan Report button.
Click the Save Report as button.
Save the report to your Desktop. Right-click the AVG Tray Icon and select Exit.
Reboot your computer.
Now copy the report back to this topic.


Step # 6 Post Logs

In your next post/reply, I'd like to see the following:

1. AVG AntiSpyware Report
2. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
newenglandhiker
2007-12-28, 16:59
km2357, I will be out of town over New Year's weekend and will do my homework when I get back into town on New Year's Day. Thanks for all your help.
km2357
2007-12-28, 21:52
No problem and thanks for letting me know.
newenglandhiker
2008-01-04, 18:05
km2357, I got tied up since New Year's day with frozen fuel lines in my car (it's been cold here in New England!) and work. will be doing my homework this afternoon. sorry for the delay.
km2357
2008-01-08, 20:20
Newenglandhiker?

Do you still need my help? If any of my instructions were unclear, please let me know.