View Full Version : desktop icons and taskbar disappear
microwaver
2008-05-05, 18:00
My desktop icons and taskbar disappear within a minute or less after starting windows XP.
I followed the instructions in this forum for new posts:
Ran Spybot 1.5.2 and immunized system;
Ran Kaspersky on line scan and saved log file (available, but very big);
Ran Highjackthis, log file below;
Rebooted to safe mode, but cannot run Spybot, desktop disappears.
Any help will be appreciated, been working on this for more than one week.
Regards,
Microwaver
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:29 AM, on 5/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\taskmngr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Express Technologies\World Watch\W32ALARM.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {4F51D0B7-AA51-4CA1-8C1F-6E3EF2EDC793} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\System32\wvUoLdcA.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Microsoft] wmism23.exe
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft] wmism23.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows IP Security Service] nvhlq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows USB 2.0 Driver] usbservice.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU1] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU2] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] wmism23.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows IP Security Service] nvhlq.exe (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: World Watch.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O20 - Winlogon Notify: awtqnkhe - C:\WINDOWS\SYSTEM32\awtqnkhe.dll
O20 - Winlogon Notify: wvUoLdcA - C:\WINDOWS\SYSTEM32\wvUoLdcA.dll
O20 - Winlogon Notify: yayyWqPI - C:\WINDOWS\SYSTEM32\yayyWqPI.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Windows Host Services (ExplorerSvc) - Unknown owner - C:\WINDOWS\system\explorer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
O23 - Service: Windows Task Services (TASKMNGR) - Unknown owner - C:\WINDOWS\system\taskmngr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.medhelp.org/images/index/header2.jpg
--
End of file - 6561 bytes
Rorschach112
2008-05-05, 18:23
Hello
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
microwaver
2008-05-06, 08:27
Ran combofix and hijackthis, logs below:
thanks and regards,
microwaver
*****
Combofix:
ComboFix 08-05-01.3 - Owner 2008-05-05 21:58:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.165 [GMT -7:00]
Running from: C:\Documents and Settings\Tims_Stuff\PC_SpeedUp\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Application Data\SpyGuardPro
C:\Documents and Settings\Owner\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\Owner\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\temp.cab
C:\Documents and Settings\Owner\ResErrors.log
C:\SpyGuardPro
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\gimmygames101.dat
C:\WINDOWS\regedit.com
C:\WINDOWS\system\taskmngr.exe
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\awtSkljg.dll
C:\WINDOWS\system32\byXOhIcb.dll
C:\WINDOWS\system32\c.exe
C:\WINDOWS\system32\ddcBspqP.dll
C:\WINDOWS\system32\efcASmKa.dll
C:\WINDOWS\system32\ex1
C:\WINDOWS\system32\fccaxYPH.dll
C:\WINDOWS\system32\fccaYstq.dll
C:\WINDOWS\system32\fcccDsqn.dll
C:\WINDOWS\system32\geBrOHwt.dll
C:\WINDOWS\system32\GiihQqss.ini
C:\WINDOWS\system32\GiihQqss.ini2
C:\WINDOWS\system32\hgGxUNDt.dll
C:\WINDOWS\system32\iifcYRhF.dll
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\ipd1
C:\WINDOWS\system32\jkkijhfe.dll
C:\WINDOWS\system32\jkQXwyxx.ini
C:\WINDOWS\system32\jkQXwyxx.ini2
C:\WINDOWS\system32\ljJDWOhG.dll
C:\WINDOWS\system32\ljJYPfca.dll
C:\WINDOWS\system32\LSDJRXyb.ini
C:\WINDOWS\system32\LSDJRXyb.ini2
C:\WINDOWS\system32\mlJDwTJA.dll
C:\WINDOWS\system32\mlJYsqoM.dll
C:\WINDOWS\system32\nnnLeEWo.dll
C:\WINDOWS\system32\oc9
C:\WINDOWS\system32\oc9\qopre83122.exe
C:\WINDOWS\system32\opnmLEvV.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnkHXoo.dll
C:\WINDOWS\system32\pmnlmmME.dll
C:\WINDOWS\system32\pmnMGWnn.dll
C:\WINDOWS\system32\pmnnOfFV.dll
C:\WINDOWS\system32\pmnoPFWo.dll
C:\WINDOWS\system32\qoMcdcyA.dll
C:\WINDOWS\system32\rqRIaXOH.dll
C:\WINDOWS\system32\shel9
C:\WINDOWS\system32\ssqQhiiG.dll
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\urqQhExv.dll
C:\WINDOWS\system32\vtUkiJAS.dll
C:\WINDOWS\system32\wvULcdDV.dll
C:\WINDOWS\system32\wvUmmkKe.dll
C:\WINDOWS\system32\wvUnOIXP.dll
C:\WINDOWS\system32\wvUoLdcA.dll
C:\WINDOWS\system32\xxyaawWN.dll
C:\WINDOWS\system32\yayyWqPI.dll
C:\WINDOWS\winsysupd101.dat
C:\WINDOWS\winsysupd111.dat
C:\WINDOWS\winsysupd71.dat
C:\WINDOWS\winsysupd91.dat
E:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DHLP
-------\Legacy_REMON
-------\Legacy_TASKMNGR
-------\Legacy_TNIDRIVER
-------\Service_remon
-------\Service_TASKMNGR
-------\Service_TnIDriver
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.
2008-05-02 00:42 . 2008-05-02 00:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-02 00:42 . 2008-05-02 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 23:14 . 2003-02-20 12:01 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\WINDOWS
2008-04-29 23:14 . 2008-04-29 23:14 <DIR> d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\UserData
2008-04-29 23:14 . 2008-04-29 23:14 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\pcbenv
2008-04-29 23:14 . 2003-02-20 11:39 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\VERITAS
2008-04-29 23:14 . 2003-02-21 09:34 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Symantec
2008-04-29 23:14 . 2003-02-20 11:30 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Share-to-Web Upload Folder
2008-04-29 23:14 . 2003-02-20 12:10 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\SampleView
2008-04-29 23:14 . 2005-02-06 13:32 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Qfin3
2008-04-29 23:14 . 2004-04-17 00:05 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSNInstaller
2008-04-29 23:14 . 2005-07-19 21:13 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSN6
2008-04-29 23:14 . 2005-02-11 19:11 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Motive
2008-04-29 23:14 . 2004-03-11 09:57 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterVideo
2008-04-29 23:14 . 2003-02-20 11:53 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterTrust
2008-04-29 23:14 . 2003-12-21 00:31 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Hewlett-Packard
2008-04-29 23:14 . 2004-01-19 22:42 <DIR> d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\GTek
2008-04-29 23:14 . 2003-12-19 20:03 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Freedom
2008-04-29 23:14 . 2004-09-11 14:59 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ESBCalc
2008-04-29 23:14 . 2004-12-30 22:57 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Corel
2008-04-29 23:14 . 2004-05-05 23:13 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ArcSoft
2008-04-29 23:14 . 2004-12-26 01:05 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Apple Computer
2008-04-29 23:14 . 2004-02-14 02:54 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\AOL
2008-04-29 23:14 . 2004-05-04 08:37 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Active Disk
2008-04-29 23:14 . 2004-12-01 13:05 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\accounts payable
2008-04-29 23:14 . 2008-04-29 23:14 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002
2008-04-29 23:14 . 2008-05-05 21:58 1,024 --ah----- C:\Documents and Settings\Administrator.PAVILION735N.002\ntuser.dat.LOG
2008-04-29 22:38 . 2008-04-29 22:41 <DIR> d-------- C:\Program Files\ERUNT
2008-04-29 22:14 . 2008-04-29 22:14 39,936 --a------ C:\WINDOWS\system32\ljJyvWnk.dl~
2008-04-29 22:11 . 2008-04-29 22:11 0 --a------ C:\WINDOWS\system32\clkcnt.t~~
2008-04-29 22:06 . 2008-04-29 22:06 39,936 --a------ C:\WINDOWS\system32\qoMecbxw.dl~
2008-04-29 22:00 . 2008-04-29 22:00 39,936 --a------ C:\WINDOWS\system32\nnnnLfEv.dl~
2008-04-29 21:56 . 2008-04-29 21:56 39,936 --a------ C:\WINDOWS\system32\opnOIbca.dl~
2008-04-26 15:16 . 2008-04-26 15:16 39,936 --a------ C:\WINDOWS\system32\yayaBTNE.dl~
2008-04-25 01:53 . 2008-04-25 01:53 39,936 --a------ C:\WINDOWS\system32\ddcCVPgH.dl~
2008-04-25 01:20 . 2008-04-25 01:20 39,936 --a------ C:\WINDOWS\system32\vtUkKbXq.dl~
2008-04-25 00:46 . 2008-04-25 00:46 39,936 --a------ C:\WINDOWS\system32\ddcyWqpO.dl~
2008-04-23 11:13 . 2001-01-01 08:31 39,936 --a------ C:\WINDOWS\system32\xxywWpqP.dl~
2008-04-23 11:11 . 2008-04-23 11:11 39,936 --a------ C:\WINDOWS\system32\ddccYrOg(2).dl~
2008-04-21 17:18 . 2001-01-03 00:16 0 --a------ C:\WINDOWS\system32\clkcnt.tx~
2008-04-21 17:17 . 2008-04-22 06:43 493,199 --ahs---- C:\WINDOWS\system32\jkQXwyxx(3).ini
2008-04-21 17:17 . 2008-04-23 08:49 411,818 --ahs---- C:\WINDOWS\system32\jkQXwyxx(2).ini
2008-04-21 17:17 . 2008-04-21 17:17 272,896 --a------ C:\WINDOWS\system32\xxywXQkj.dl~
2008-04-21 17:12 . 2008-04-21 17:12 39,936 --a------ C:\WINDOWS\system32\rqRIAqnm.dl~
2008-04-14 17:48 . 2008-04-14 17:48 <DIR> d-------- C:\Program Files\PentaLogix
2008-04-14 17:48 . 2005-12-07 18:19 1,363,968 --a------ C:\WINDOWS\system32\scviewer.ocx
2008-04-14 17:48 . 2000-01-19 12:53 647,168 -ra------ C:\WINDOWS\system32\pvdt70.ocx
2008-04-14 17:48 . 2007-03-21 21:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-14 17:48 . 2007-03-21 21:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-14 17:48 . 2005-09-23 06:56 7,168 --a------ C:\WINDOWS\system32\mfcmifc80.dll
2008-04-14 17:48 . 2005-11-26 22:00 104 --a------ C:\WINDOWS\system32\scviewer.lic
2008-04-13 22:16 . 2008-04-13 22:16 68,608 -r-hs---- C:\WINDOWS\system\explorer.exe
2008-04-11 04:55 . 2008-04-11 04:55 67,072 --a------ C:\WINDOWS\system32\av.ex~
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 07:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-30 05:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-15 00:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-06 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-06 17:03 --------- d-----w C:\Program Files\Webroot
2008-03-06 17:02 --------- d-----w C:\Program Files\Zone Labs
2008-01-30 06:37 0 ----a-w C:\Documents and Settings\Owner\DLM.dll
2008-01-22 17:40 172 ---ha-w C:\Documents and Settings\Administrator.PAVILION735N\hpothb07.dat
2008-01-22 17:39 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2008-01-19 01:46 797 ---ha-w C:\Documents and Settings\Diann\hpothb07.dat
2007-05-09 03:09 785 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2007-04-18 00:39 12,993 ---ha-w C:\Documents and Settings\Tims_Stuff\hpothb07.dat
2007-03-11 20:24 146 ---ha-w C:\Program Files\hpothb07.dat
2007-02-21 23:23 3,374,720 ----a-w C:\Documents and Settings\Tims_Stuff\EasyLink_Connect.exe
2006-09-08 15:09 255 ---ha-w C:\Program Files\hpothb07.tif
2006-09-08 15:09 0 ---ha-w C:\Documents and Settings\Administrator\Application Data\hpothb07.dat
2006-09-08 15:08 176 ---ha-w C:\Documents and Settings\Administrator.PAVILION735N.001\hpothb07.dat
2006-09-08 15:08 176 ---ha-w C:\Documents and Settings\Administrator.PAVILION735N.000\hpothb07.dat
2006-05-15 23:04 807 ---ha-w C:\Documents and Settings\patches\hpothb07.dat
2006-05-14 05:11 3,647 ---ha-w C:\Documents and Settings\timsdata\hpothb07.dat
2006-02-03 08:19 74 ----a-w C:\Documents and Settings\Owner\x.bat
2006-02-03 07:00 16,384 ----a-w C:\Documents and Settings\Owner\start.exe
2005-06-23 08:17 2,656,532 ----a-w C:\Documents and Settings\Tims_Stuff\i950usersguide_us.exe
2005-03-27 03:16 54,315,597 ----a-w C:\Program Files\NSW2005.exe
2004-05-27 03:49 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2004-05-23 21:33 360 ---ha-w C:\WINDOWS\system32\config\systemprofile\Application Data\hpothb07.dat
2004-05-23 21:33 360 ---ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat
2004-05-22 01:47 705,398 ----a-w C:\Documents and Settings\Tims_Stuff\winmail.dat
2004-05-20 15:09 2,372,760 ----a-w C:\Documents and Settings\Tims_Stuff\winzip90.exe
2004-04-12 02:21 238,394 ----a-w C:\Documents and Settings\Tims_Stuff\09-0120-1.20040410-1525.pdf.zip
2004-04-03 04:17 250,258 ----a-w C:\Documents and Settings\Tims_Stuff\Pico_Rev2.zip
2003-12-21 08:03 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2001-12-04 20:24 1,372 ----a-w C:\Program Files\Common Files\North_america_hyperlink.hld
2001-12-04 20:24 1,247 ----a-w C:\Program Files\Common Files\pacific_ocean_hyperlink.hld
2001-12-04 20:24 1,247 ----a-w C:\Program Files\Common Files\atlantic_ocean_hyperlink.hld
2001-12-04 20:23 1,246 ----a-w C:\Program Files\Common Files\World_hyperlink.hld
2001-12-04 20:22 1,245 ----a-w C:\Program Files\Common Files\Live_Earth_HyperLink.hld
2001-12-04 20:22 1,206 ----a-w C:\Program Files\Common Files\india_ocean_hyperlink.hld
2001-12-04 20:19 1,206 ----a-w C:\Program Files\Common Files\europe_hyperlink.hld
2001-12-04 20:18 1,332 ----a-w C:\Program Files\Common Files\asia_hyperlink.hld
2001-12-04 20:18 1,212 ----a-w C:\Program Files\Common Files\africa_hyperlink.hld
2001-12-04 20:17 1,332 ----a-w C:\Program Files\Common Files\australia_hyperlink.hld
2001-12-04 20:16 1,331 ----a-w C:\Program Files\Common Files\south_america_hyperlink.hld
2001-12-04 20:15 1,968 ----a-w C:\Program Files\Common Files\united_states_hyperlink.hld
2001-12-04 20:15 1,330 ----a-w C:\Program Files\Common Files\southeast_asia_hyperlink.hld
2001-11-29 22:30 19,230 ----a-w C:\Program Files\Common Files\etcdata.js
2001-11-28 22:34 2,564 ----a-w C:\Program Files\Common Files\datadisplay.htm
2001-11-20 23:59 1,508 ----a-w C:\Program Files\Common Files\hyperlink.css
2001-11-20 21:25 340 ----a-w C:\Program Files\Common Files\locations.htm
2001-11-20 20:26 16,296 ----a-w C:\Program Files\Common Files\Copy of etcdata.js
2001-11-20 01:44 2,309 ----a-w C:\Program Files\Common Files\Copy of datadisplay.htm
2000-10-17 16:49 65 ----a-w C:\Program Files\Common Files\1.htm
2000-06-16 00:39 28,672 ----a-w C:\Program Files\Common Files\wwbrowser.exe
2000-05-22 09:00 77 ----a-w C:\Program Files\Common Files\ins.css
2000-04-25 09:00 28,672 ----a-w C:\Program Files\Common Files\browser.bak
2003-02-21 16:34 32 --sha-w C:\WINDOWS\{53BFA4F4-6650-49B6-8DDD-FD9A43343E31}.dat
2004-01-01 21:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2003-02-21 16:34 32 --sha-w C:\WINDOWS\system32\{BA1EFD3B-3CE5-4B0E-8CB7-D14D753F9375}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F51D0B7-AA51-4CA1-8C1F-6E3EF2EDC793}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 23:08 1511453]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 22:03 68856]
"Microsoft"="wmism23.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 18:42 69632]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"nwiz"="nwiz.exe" [2002-09-09 23:35 372736 C:\WINDOWS\system32\nwiz.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 07:05 114688]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 00:11 69632]
"AutoTBar"="C:\hp\bin\autotbar.exe" [ ]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-20 13:30 282624]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-02-03 14:14 26112]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [ ]
"RegistryMechanic"="" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows IP Security Service"="nvhlq.exe" []
"Windows USB 2.0 Driver"="usbservice.exe" []
"CU1"="" []
"CU2"="" []
"Microsoft"="wmism23.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 19:11:12 28672]
World Watch.lnk - C:\Program Files\Express Technologies\World Watch\W32ALARM.exe [2008-01-29 00:17:20 184320]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkhe]
awtqnkhe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 04:12]
R1 hwinterface;hwinterface;C:\WINDOWS\System32\Drivers\hwinterface.sys [2001-09-21 00:05]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-04-21 09:39]
R2 ExplorerSvc;Windows Host Services;"C:\WINDOWS\system\explorer.exe" [2008-04-13 22:16]
R2 SMSCGISVC;System Managment Controler;"C:\WINDOWS\system\smscg.exe" [2008-03-09 01:19]
S4 Local Service;Local Service;"C:\WINDOWS\chfmon.exe" []
S4 Web Live Information Messenger;Web Live Information Messenger;"C:\WINDOWS\webmsn.exe" []
.
Contents of the 'Scheduled Tasks' folder
"2004-04-07 06:27:18 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1071991571.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 22:07:42
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2008-05-05 22:17:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 05:17:07
Pre-Run: 26,546,057,216 bytes free
Post-Run: 26,820,251,648 bytes free
287 --- E O F --- 2008-02-13 15:06:57
*****
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:54 PM, on 5/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Express Technologies\World Watch\W32ALARM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft] wmism23.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows IP Security Service] nvhlq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows USB 2.0 Driver] usbservice.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU1] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU2] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] wmism23.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows IP Security Service] nvhlq.exe (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: World Watch.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O20 - Winlogon Notify: awtqnkhe - awtqnkhe.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Windows Host Services (ExplorerSvc) - Unknown owner - C:\WINDOWS\system\explorer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.medhelp.org/images/index/header2.jpg
--
End of file - 6088 bytes
*****
Rorschach112
2008-05-06, 14:48
Hello
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\ljJyvWnk.dl~
C:\WINDOWS\system32\clkcnt.t~~
C:\WINDOWS\system32\qoMecbxw.dl~
C:\WINDOWS\system32\nnnnLfEv.dl~
C:\WINDOWS\system32\opnOIbca.dl~
C:\WINDOWS\system32\yayaBTNE.dl~
C:\WINDOWS\system32\ddcCVPgH.dl~
C:\WINDOWS\system32\vtUkKbXq.dl~
C:\WINDOWS\system32\ddcyWqpO.dl~
C:\WINDOWS\system32\xxywWpqP.dl~
C:\WINDOWS\system32\ddccYrOg(2).dl~
C:\WINDOWS\system32\clkcnt.tx~
C:\WINDOWS\system32\jkQXwyxx(3).ini
C:\WINDOWS\system32\jkQXwyxx(2).ini
C:\WINDOWS\system32\xxywXQkj.dl~
C:\WINDOWS\system32\rqRIAqnm.dl~
C:\WINDOWS\system32\av.ex~
C:\Documents and Settings\Owner\x.bat
C:\Documents and Settings\Owner\start.exe
Folder::
Registry::
Driver::
Local Service
Web Live Information Messenger
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:
C:\WINDOWS\system\explorer.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Repeat it for these files
C:\Documents and Settings\Tims_Stuff\i950usersguide_us.exe
C:\Program Files\Common Files\wwbrowser.exe
microwaver
2008-05-07, 08:54
Hello, sorry for long delays in my replies to your posts.
We are 7 hours apart and my workday has been long.
Completed scans you requested,
logs below.
Regards,
microwaver
*****
SDFix: Version 1.180
Run by Administrator on Tue 05/06/2008 at 09:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1.002\Desktop\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\SYSTEM32\ERASEM~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSWIND~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\SED5FB~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\SETUP_~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\VDMD7.TMP - Deleted
C:\VDMD8.TMP - Deleted
C:\WINDOWS\system32\eraseme_11515.exe - Deleted
C:\WINDOWS\system32\setup_16258.exe - Deleted
C:\WINDOWS\system32\setup_25702.exe - Deleted
C:\WINDOWS\system32\TFTP1580 - Deleted
C:\WINDOWS\system32\TFTP2180 - Deleted
C:\WINDOWS\system32\TFTP2528 - Deleted
C:\WINDOWS\system32\TFTP2900 - Deleted
C:\WINDOWS\system32\TFTP3240 - Deleted
C:\WINDOWS\system32\TFTP3924 - Deleted
C:\iexplore.exe - Deleted
C:\WINDOWS\system\explorer.exe - Deleted
C:\WINDOWS\system\smscg.exe - Deleted
Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 22:01:02
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
Remaining Files :
File Backups: - C:\DOCUME~1\ADMINI~1.002\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 5 Mar 2007 71,168 ..SHR --- "C:\itshfbc\Setup.exe"
Thu 14 Mar 2002 36,947 A..H. --- "C:\Program Files\America Online 7.0\aolphx.exe"
Tue 27 Nov 2001 32,839 A..H. --- "C:\Program Files\America Online 7.0\aoltray.exe"
Mon 26 Nov 2001 40,960 A..H. --- "C:\Program Files\America Online 7.0\RBM.exe"
Mon 26 Nov 2001 180,287 A..H. --- "C:\Program Files\America Online 7.0\waol.exe"
Fri 15 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 15 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 15 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 28 Apr 2004 238,792 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 1 Jan 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Tue 10 Aug 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 10 Aug 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Thu 19 Jan 2006 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0001.tmp"
Thu 19 Jan 2006 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0067.tmp"
Sat 24 Jun 2006 25,088 A..H. --- "C:\Documents and Settings\Tims_Stuff\1_A_A_JobSrch_2006\~WRL0003.tmp"
Sat 24 Jun 2006 27,648 A..H. --- "C:\Documents and Settings\Tims_Stuff\1_A_A_JobSrch_2006\~WRL0343.tmp"
Sat 24 Jun 2006 26,112 A..H. --- "C:\Documents and Settings\Tims_Stuff\1_A_A_JobSrch_2006\~WRL1959.tmp"
Sat 24 Jun 2006 28,160 A..H. --- "C:\Documents and Settings\Tims_Stuff\1_A_A_JobSrch_2006\~WRL2346.tmp"
Sat 24 Jun 2006 27,648 A..H. --- "C:\Documents and Settings\Tims_Stuff\1_A_A_JobSrch_2006\~WRL2385.tmp"
Sat 24 Jun 2006 26,112 A..H. --- "C:\Documents and Settings\Tims_Stuff\1_A_A_JobSrch_2006\~WRL2857.tmp"
Sat 24 Jun 2006 27,136 A..H. --- "C:\Documents and Settings\Tims_Stuff\1_A_A_JobSrch_2006\~WRL3086.tmp"
Mon 26 Nov 2001 49,221 A..H. --- "C:\Program Files\America Online 7.0\COMIT\cswitch.exe"
Thu 30 Sep 2004 378 A..H. --- "C:\Documents and Settings\Default User\Local Settings\Temp\wv6yim.dll"
Fri 21 Feb 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 21 Feb 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 6 Jan 2004 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\OffA.tmp"
Fri 15 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Tue 23 Mar 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 1 Jun 2004 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Finished!
*******
ComboFix 08-05-01.3 - Owner 2008-05-06 22:13:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.154 [GMT -7:00]
Running from: C:\Documents and Settings\Tims_Stuff\PC_SpeedUp\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tims_Stuff\PC_SpeedUp\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Owner\start.exe
C:\Documents and Settings\Owner\x.bat
C:\WINDOWS\system32\av.ex~
C:\WINDOWS\system32\clkcnt.t~~
C:\WINDOWS\system32\clkcnt.tx~
C:\WINDOWS\system32\ddcCVPgH.dl~
C:\WINDOWS\system32\ddccYrOg(2).dl~
C:\WINDOWS\system32\ddcyWqpO.dl~
C:\WINDOWS\system32\jkQXwyxx(2).ini
C:\WINDOWS\system32\jkQXwyxx(3).ini
C:\WINDOWS\system32\ljJyvWnk.dl~
C:\WINDOWS\system32\nnnnLfEv.dl~
C:\WINDOWS\system32\opnOIbca.dl~
C:\WINDOWS\system32\qoMecbxw.dl~
C:\WINDOWS\system32\rqRIAqnm.dl~
C:\WINDOWS\system32\vtUkKbXq.dl~
C:\WINDOWS\system32\xxywWpqP.dl~
C:\WINDOWS\system32\xxywXQkj.dl~
C:\WINDOWS\system32\yayaBTNE.dl~
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\start.exe
C:\Documents and Settings\Owner\x.bat
C:\WINDOWS\system32\av.ex~
C:\WINDOWS\system32\clkcnt.t~~
C:\WINDOWS\system32\clkcnt.tx~
C:\WINDOWS\system32\ddcCVPgH.dl~
C:\WINDOWS\system32\ddccYrOg(2).dl~
C:\WINDOWS\system32\ddcyWqpO.dl~
C:\WINDOWS\system32\jkQXwyxx(2).ini
C:\WINDOWS\system32\jkQXwyxx(3).ini
C:\WINDOWS\system32\ljJyvWnk.dl~
C:\WINDOWS\system32\nnnnLfEv.dl~
C:\WINDOWS\system32\opnOIbca.dl~
C:\WINDOWS\system32\qoMecbxw.dl~
C:\WINDOWS\system32\rqRIAqnm.dl~
C:\WINDOWS\system32\vtUkKbXq.dl~
C:\WINDOWS\system32\xxywWpqP.dl~
C:\WINDOWS\system32\xxywXQkj.dl~
C:\WINDOWS\system32\yayaBTNE.dl~
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_LOCAL_SERVICE
-------\Legacy_WEB_LIVE_INFORMATION_MESSENGER
-------\Service_Local Service
-------\Service_Web Live Information Messenger
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-06 21:49 . 2008-05-06 21:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-06 21:45 . 2008-05-05 21:43 <DIR> d-------- C:\SDFix
2008-05-02 00:42 . 2008-05-02 00:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-02 00:42 . 2008-05-02 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 23:14 . 2003-02-20 12:01 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\WINDOWS
2008-04-29 23:14 . 2008-04-29 23:14 <DIR> d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\UserData
2008-04-29 23:14 . 2008-04-29 23:14 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\pcbenv
2008-04-29 23:14 . 2003-02-20 11:39 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\VERITAS
2008-04-29 23:14 . 2003-02-21 09:34 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Symantec
2008-04-29 23:14 . 2003-02-20 11:30 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Share-to-Web Upload Folder
2008-04-29 23:14 . 2003-02-20 12:10 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\SampleView
2008-04-29 23:14 . 2005-02-06 13:32 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Qfin3
2008-04-29 23:14 . 2004-04-17 00:05 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSNInstaller
2008-04-29 23:14 . 2005-07-19 21:13 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSN6
2008-04-29 23:14 . 2005-02-11 19:11 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Motive
2008-04-29 23:14 . 2004-03-11 09:57 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterVideo
2008-04-29 23:14 . 2003-02-20 11:53 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterTrust
2008-04-29 23:14 . 2003-12-21 00:31 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Hewlett-Packard
2008-04-29 23:14 . 2004-01-19 22:42 <DIR> d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\GTek
2008-04-29 23:14 . 2003-12-19 20:03 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Freedom
2008-04-29 23:14 . 2004-09-11 14:59 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ESBCalc
2008-04-29 23:14 . 2004-12-30 22:57 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Corel
2008-04-29 23:14 . 2004-05-05 23:13 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ArcSoft
2008-04-29 23:14 . 2004-12-26 01:05 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Apple Computer
2008-04-29 23:14 . 2004-02-14 02:54 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\AOL
2008-04-29 23:14 . 2004-05-04 08:37 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Active Disk
2008-04-29 23:14 . 2004-12-01 13:05 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\accounts payable
2008-04-29 23:14 . 2008-04-29 23:14 <DIR> d-------- C:\Documents and Settings\Administrator.PAVILION735N.002
2008-04-29 23:14 . 2008-05-06 21:57 1,024 --ah----- C:\Documents and Settings\Administrator.PAVILION735N.002\ntuser.dat.LOG
2008-04-29 22:38 . 2008-04-29 22:41 <DIR> d-------- C:\Program Files\ERUNT
2008-04-14 17:48 . 2008-04-14 17:48 <DIR> d-------- C:\Program Files\PentaLogix
2008-04-14 17:48 . 2005-12-07 18:19 1,363,968 --a------ C:\WINDOWS\system32\scviewer.ocx
2008-04-14 17:48 . 2000-01-19 12:53 647,168 -ra------ C:\WINDOWS\system32\pvdt70.ocx
2008-04-14 17:48 . 2007-03-21 21:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-14 17:48 . 2007-03-21 21:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-14 17:48 . 2005-09-23 06:56 7,168 --a------ C:\WINDOWS\system32\mfcmifc80.dll
2008-04-14 17:48 . 2005-11-26 22:00 104 --a------ C:\WINDOWS\system32\scviewer.lic
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 07:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-30 05:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-15 00:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 06:37 0 ----a-w C:\Documents and Settings\Owner\DLM.dll
2008-01-22 17:40 172 ---ha-w C:\Documents and Settings\Administrator.PAVILION735N\hpothb07.dat
2008-01-22 17:39 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2008-01-19 01:46 797 ---ha-w C:\Documents and Settings\Diann\hpothb07.dat
2007-05-09 03:09 785 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2007-04-18 00:39 12,993 ---ha-w C:\Documents and Settings\Tims_Stuff\hpothb07.dat
2007-03-11 20:24 146 ---ha-w C:\Program Files\hpothb07.dat
2007-02-21 23:23 3,374,720 ----a-w C:\Documents and Settings\Tims_Stuff\EasyLink_Connect.exe
2006-09-08 15:09 255 ---ha-w C:\Program Files\hpothb07.tif
2006-09-08 15:09 0 ---ha-w C:\Documents and Settings\Administrator\Application Data\hpothb07.dat
2006-09-08 15:08 176 ---ha-w C:\Documents and Settings\Administrator.PAVILION735N.001\hpothb07.dat
2006-09-08 15:08 176 ---ha-w C:\Documents and Settings\Administrator.PAVILION735N.000\hpothb07.dat
2006-05-15 23:04 807 ---ha-w C:\Documents and Settings\patches\hpothb07.dat
2006-05-14 05:11 3,647 ---ha-w C:\Documents and Settings\timsdata\hpothb07.dat
2005-06-23 08:17 2,656,532 ----a-w C:\Documents and Settings\Tims_Stuff\i950usersguide_us.exe
2005-03-27 03:16 54,315,597 ----a-w C:\Program Files\NSW2005.exe
2004-05-27 03:49 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2004-05-23 21:33 360 ---ha-w C:\WINDOWS\system32\config\systemprofile\Application Data\hpothb07.dat
2004-05-23 21:33 360 ---ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat
2004-05-22 01:47 705,398 ----a-w C:\Documents and Settings\Tims_Stuff\winmail.dat
2004-05-20 15:09 2,372,760 ----a-w C:\Documents and Settings\Tims_Stuff\winzip90.exe
2004-04-12 02:21 238,394 ----a-w C:\Documents and Settings\Tims_Stuff\09-0120-1.20040410-1525.pdf.zip
2004-04-03 04:17 250,258 ----a-w C:\Documents and Settings\Tims_Stuff\Pico_Rev2.zip
2003-12-21 08:03 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2001-12-04 20:24 1,372 ----a-w C:\Program Files\Common Files\North_america_hyperlink.hld
2001-12-04 20:24 1,247 ----a-w C:\Program Files\Common Files\pacific_ocean_hyperlink.hld
2001-12-04 20:24 1,247 ----a-w C:\Program Files\Common Files\atlantic_ocean_hyperlink.hld
2001-12-04 20:23 1,246 ----a-w C:\Program Files\Common Files\World_hyperlink.hld
2001-12-04 20:22 1,245 ----a-w C:\Program Files\Common Files\Live_Earth_HyperLink.hld
2001-12-04 20:22 1,206 ----a-w C:\Program Files\Common Files\india_ocean_hyperlink.hld
2001-12-04 20:19 1,206 ----a-w C:\Program Files\Common Files\europe_hyperlink.hld
2001-12-04 20:18 1,332 ----a-w C:\Program Files\Common Files\asia_hyperlink.hld
2001-12-04 20:18 1,212 ----a-w C:\Program Files\Common Files\africa_hyperlink.hld
2001-12-04 20:17 1,332 ----a-w C:\Program Files\Common Files\australia_hyperlink.hld
2001-12-04 20:16 1,331 ----a-w C:\Program Files\Common Files\south_america_hyperlink.hld
2001-12-04 20:15 1,968 ----a-w C:\Program Files\Common Files\united_states_hyperlink.hld
2001-12-04 20:15 1,330 ----a-w C:\Program Files\Common Files\southeast_asia_hyperlink.hld
2001-11-29 22:30 19,230 ----a-w C:\Program Files\Common Files\etcdata.js
2001-11-28 22:34 2,564 ----a-w C:\Program Files\Common Files\datadisplay.htm
2001-11-20 23:59 1,508 ----a-w C:\Program Files\Common Files\hyperlink.css
2001-11-20 21:25 340 ----a-w C:\Program Files\Common Files\locations.htm
2001-11-20 20:26 16,296 ----a-w C:\Program Files\Common Files\Copy of etcdata.js
2001-11-20 01:44 2,309 ----a-w C:\Program Files\Common Files\Copy of datadisplay.htm
2000-10-17 16:49 65 ----a-w C:\Program Files\Common Files\1.htm
2000-06-16 00:39 28,672 ----a-w C:\Program Files\Common Files\wwbrowser.exe
2000-05-22 09:00 77 ----a-w C:\Program Files\Common Files\ins.css
2000-04-25 09:00 28,672 ----a-w C:\Program Files\Common Files\browser.bak
2003-02-21 16:34 32 --sha-w C:\WINDOWS\{53BFA4F4-6650-49B6-8DDD-FD9A43343E31}.dat
2004-01-01 21:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2003-02-21 16:34 32 --sha-w C:\WINDOWS\system32\{BA1EFD3B-3CE5-4B0E-8CB7-D14D753F9375}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-05-05_22.16.56.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 05:07:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 05:16:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 04:42:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-07 04:50:19 1,847,296 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-07 04:50:19 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-06 04:42:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-07 04:50:08 1,847,296 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-07 04:50:08 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 23:08 1511453]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 22:03 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 18:42 69632]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"nwiz"="nwiz.exe" [2002-09-09 23:35 372736 C:\WINDOWS\system32\nwiz.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 07:05 114688]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 00:11 69632]
"AutoTBar"="C:\hp\bin\autotbar.exe" [ ]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-20 13:30 282624]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-02-03 14:14 26112]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [ ]
"RegistryMechanic"="" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows IP Security Service"="nvhlq.exe" []
"Windows USB 2.0 Driver"="usbservice.exe" []
"CU1"="" []
"CU2"="" []
"Microsoft"="wmism23.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 19:11:12 28672]
World Watch.lnk - C:\Program Files\Express Technologies\World Watch\W32ALARM.exe [2008-01-29 00:17:20 184320]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkhe]
awtqnkhe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 04:12]
R1 hwinterface;hwinterface;C:\WINDOWS\System32\Drivers\hwinterface.sys [2001-09-21 00:05]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-04-21 09:39]
S2 ExplorerSvc;Windows Host Services;"C:\WINDOWS\system\explorer.exe" []
S2 SMSCGISVC;System Managment Controler;"C:\WINDOWS\system\smscg.exe" []
.
Contents of the 'Scheduled Tasks' folder
"2004-04-07 06:27:18 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1071991571.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 22:17:07
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2008-05-06 22:26:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 05:26:22
ComboFix2.txt 2008-05-06 05:17:11
Pre-Run: 26,872,193,024 bytes free
Post-Run: 26,860,564,480 bytes free
243 --- E O F --- 2008-02-13 15:06:57
****************************************
Rorschach112
2008-05-07, 18:45
Do this step please
Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:
C:\WINDOWS\system\explorer.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Repeat it for these files
C:\Documents and Settings\Tims_Stuff\i950usersguide_us.exe
C:\Program Files\Common Files\wwbrowser.exe
Also post a new HijackThis log
microwaver
2008-05-08, 08:51
My apology, I forgot the filescans.
File scans completed, logs below including HJT log.
Regards,
microwaver
*******
File explorer.exe received on 05.08.2008 04:33:08 (CET)
Current status: finished
Result: 26/31 (83.87%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - Possibly a new variant of W32/NewUnknownMalware-OC05!Maximus
Avast - - Win32:DCom-F
AVG - - IRC/BackDoor.SdBot4.AHE
BitDefender - - Packer.PESpin.A
CAT-QuickHeal - - I-Worm.Kolabc.sg
ClamAV - - PUA.Packed.PESpin
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/NewUnknownMalware-OC05!Maximus
F-Secure - - Net-Worm.Win32.Kolabc.sg
Fortinet - - -
Ikarus - - Packer.PESpin.A
Kaspersky - - Net-Worm.Win32.Kolabc.sg
McAfee - - Generic.dx
Microsoft - - Exploit:Win32/MS06040.gen
NOD32v2 - - a variant of IRC/SdBot
Norman - - W32/Smalltroj.EGRN
Panda - - Bck/Sdbot.LUN
Prevx1 - - System Back Door
Rising - - Backdoor.Win32.SdBot.qtb
Sophos - - Mal/Generic-A
Sunbelt - - Net-Worm.Win32.Kolabc.sg
Symantec - - Trojan Horse
TheHacker - - W32/Kolabc.sg
VBA32 - - Net-Worm.Win32.Kolabc.sg
VirusBuster - - Packed/PeSpin
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: 5de56b7ff6bd37685948018b08587c09
SHA1: a8b76801901155b4595815ce6f728fa7911af65a
SHA256: 666f2328815c52c994c61b4a99f4e4c63f6b0046993ae084a03f566d6dbc8cde
SHA512: 6f00df64c519d680c44346bddadfd2c845cb0412e2fd4db778c25dadd401ba857a34c05a2d88377b114fa7025db945075930ef7a4e449a1f837e7ab5e56de48d
*******
File i950usersguide_us.exe received on 05.07.2008 07:41:16 (CET)
Current status: finished
Result: 0/31 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.06 -
AntiVir 7.8.0.11 2008.05.06 -
Authentium 4.93.8 2008.05.07 -
Avast 4.8.1169.0 2008.05.06 -
AVG 7.5.0.516 2008.05.06 -
BitDefender 7.2 2008.05.07 -
CAT-QuickHeal 9.50 2008.05.06 -
ClamAV 0.92.1 2008.05.07 -
DrWeb 4.44.0.09170 2008.05.06 -
eSafe 7.0.15.0 2008.05.06 -
eTrust-Vet 31.3.5765 2008.05.07 -
Ewido 4.0 2008.05.06 -
F-Prot 4.4.2.54 2008.05.06 -
F-Secure 6.70.13260.0 2008.05.07 -
Fortinet 3.14.0.0 2008.05.07 -
Ikarus T3.1.1.26 2008.05.07 -
Kaspersky 7.0.0.125 2008.05.07 -
McAfee 5289 2008.05.06 -
Microsoft 1.3408 2008.05.07 -
NOD32v2 3080 2008.05.06 -
Norman 5.80.02 2008.05.06 -
Panda 9.0.0.4 2008.05.06 -
Prevx1 V2 2008.05.07 -
Rising 20.43.12.00 2008.05.07 -
Sophos 4.29.0 2008.05.07 -
Sunbelt 3.0.1097.0 2008.05.07 -
Symantec 10 2008.05.07 -
TheHacker 6.2.92.301 2008.05.07 -
VBA32 3.12.6.5 2008.05.06 -
VirusBuster 4.3.26:9 2008.05.06 -
Webwasher-Gateway 6.6.2 2008.05.06 -
Additional information
File size: 2656532 bytes
MD5...: 7e50e92ae2ff2a0a6c6b8cafc91f4dbd
SHA1..: 4b5a894dbc1ed16e8d95715d4a15a6af8c19bdb2
SHA256: 0835b2b4c92d57f056183ae60d4c26101750918add6d589f0581d148aebe5815
SHA512: 776c78fcc3d4f4bedbb085230ff4bcc36d9cd2dfc5db6a78bfbe50f371b8fc95
6212ab929a7d06150eee951a52c7ce0021b315e30878d0e5348729607736a8e7
PEiD..: InstallShield 2000
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x40a790
timedatestamp.....: 0x36204ffb (Sun Oct 11 06:28:11 1998)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1059a 0x10600 6.54 242ba85f240bf39695e71c8a7245a675
.rdata 0x12000 0xf54 0x1000 5.39 e9c8ed64396ce7df6b3cca4d32adaa68
.data 0x13000 0x12204 0x4000 2.64 c284c453fb63a8f27217a5d611c62db1
.rsrc 0x26000 0x3e0 0x400 3.26 779f143d7e356f5e9bf33dc7be98a8e1
( 3 imports )
> KERNEL32.dll: HeapAlloc, GetLastError, InterlockedExchange, GetCurrentProcess, GetModuleFileNameA, GetModuleHandleA, GetVersion, CreateMutexA, CreateFileA, ReleaseMutex, GetFullPathNameA, FileTimeToLocalFileTime, SetVolumeLabelA, _lclose, OpenFile, SetEvent, CreateThread, CreateEventA, CloseHandle, WaitForSingleObject, lstrcmpiA, InitializeCriticalSection, lstrlenA, lstrcpynA, GetVolumeInformationA, GetDriveTypeA, HeapFree, EnterCriticalSection, GetProcessHeap, SetFileTime, SetFileAttributesA, GetTimeZoneInformation, UnhandledExceptionFilter, SetFilePointer, SetCurrentDirectoryA, GetCurrentDirectoryA, CreateDirectoryA, LeaveCriticalSection, GetConsoleMode, FreeEnvironmentStringsA, ExitProcess, TerminateProcess, SetConsoleCtrlHandler, GetStartupInfoA, GetCommandLineA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, SetHandleCount, GetStdHandle, GetFileType, MultiByteToWideChar, WideCharToMultiByte, LCMapStringA, LCMapStringW, FlushFileBuffers, WriteFile, GetStringTypeA, GetStringTypeW, SetConsoleMode, LoadLibraryA, GetProcAddress, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, GetCPInfo, GetACP, GetOEMCP, RtlUnwind, ReadFile, SetStdHandle, FindFirstFileA, ReadConsoleInputA, SetEndOfFile, CompareStringA, CompareStringW, SetEnvironmentVariableA, HeapReAlloc, DeleteFileA, GetFileAttributesA, FindClose, FileTimeToSystemTime
> USER32.dll: OemToCharA, CharToOemA, SetDlgItemTextA, EndDialog, MessageBoxA, GetDlgItemTextA, SendMessageA, DialogBoxParamA, SendDlgItemMessageA
> ADVAPI32.dll: LookupPrivilegeValueA, GetSecurityDescriptorLength, IsValidSecurityDescriptor, SetKernelObjectSecurity, GetSecurityDescriptorControl, AdjustTokenPrivileges, GetKernelObjectSecurity, OpenProcessToken
( 0 exports )
packers: ZIP
**********
File wwbrowser.exe received on 05.07.2008 07:47:55 (CET)
Current status: finished
Result: 0/31 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.06 -
AntiVir 7.8.0.11 2008.05.06 -
Authentium 4.93.8 2008.05.07 -
Avast 4.8.1169.0 2008.05.06 -
AVG 7.5.0.516 2008.05.06 -
BitDefender 7.2 2008.05.07 -
CAT-QuickHeal 9.50 2008.05.06 -
ClamAV 0.92.1 2008.05.07 -
DrWeb 4.44.0.09170 2008.05.06 -
eSafe 7.0.15.0 2008.05.06 -
eTrust-Vet 31.3.5765 2008.05.07 -
Ewido 4.0 2008.05.06 -
F-Prot 4.4.2.54 2008.05.06 -
F-Secure 6.70.13260.0 2008.05.07 -
Fortinet 3.14.0.0 2008.05.07 -
Ikarus T3.1.1.26.0 2008.05.07 -
Kaspersky 7.0.0.125 2008.05.07 -
McAfee 5289 2008.05.06 -
Microsoft 1.3408 2008.05.07 -
NOD32v2 3080 2008.05.06 -
Norman 5.80.02 2008.05.06 -
Panda 9.0.0.4 2008.05.06 -
Prevx1 V2 2008.05.07 -
Rising 20.43.12.00 2008.05.07 -
Sophos 4.29.0 2008.05.07 -
Sunbelt 3.0.1097.0 2008.05.07 -
Symantec 10 2008.05.07 -
TheHacker 6.2.92.301 2008.05.07 -
VBA32 3.12.6.5 2008.05.06 -
VirusBuster 4.3.26:9 2008.05.06 -
Webwasher-Gateway 6.6.2 2008.05.06 -
Additional information
File size: 28672 bytes
MD5...: 3fc821d139382c31bfb66da0f8973241
SHA1..: 4a4905b7b8ca585b0a1f316fd3b96edd38c25db1
SHA256: a306cc703458f29ba012c2b5c2aa59bc8e2434f5fbd69c66b58ee5dea14bd137
SHA512: 2bec067373bda52c00b0e636ffeffe0d02e300cae0819a0c4c3bf290331a33a9
22a3fff5e0b4457ddcf80ce8943788681fca1644b093bc16f2f3078e4926b585
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x40135c
timedatestamp.....: 0x39494d09 (Thu Jun 15 21:39:21 2000)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30a8 0x4000 4.48 3042c122c2c5eaa1d57192122b090466
.data 0x5000 0xa7c 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x6000 0x8e8 0x1000 1.91 859d1ac5d0e829e601b76637b11a9967
( 1 imports )
> MSVBVM60.DLL: _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLateIdCall, __vbaStrVarMove, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, -, _adj_fdivr_m16i, __vbaBoolVar, -, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, -, __vbaVarLateMemSt, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, -, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaVarAdd, __vbaLateMemCall, __vbaFpI4, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr
( 0 exports )
***************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:47 PM, on 5/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system\explorer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Express Technologies\World Watch\W32ALARM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows IP Security Service] nvhlq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows USB 2.0 Driver] usbservice.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU1] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU2] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] wmism23.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows IP Security Service] nvhlq.exe (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: World Watch.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O20 - Winlogon Notify: awtqnkhe - awtqnkhe.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Windows Host Services (ExplorerSvc) - Unknown owner - C:\WINDOWS\system\explorer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.medhelp.org/images/index/header2.jpg
--
End of file - 5908 bytes
********************
Rorschach112
2008-05-08, 14:40
Hello
Please go to UploadMalware (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: C:\WINDOWS\system\explorer.exe
In the comments, please mention that I asked you to upload this file
Click on Send File
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O4 - HKUS\S-1-5-18\..\Run: [Windows IP Security Service] nvhlq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] wmism23.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows IP Security Service] nvhlq.exe (User 'Default user')
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O20 - Winlogon Notify: awtqnkhe - awtqnkhe.dll (file missing)
O23 - Service: Windows Host Services (ExplorerSvc) - Unknown owner - C:\WINDOWS\system\explorer.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\WINDOWS\system\explorer.exe
Folder::
Registry::
Driver::
ExplorerSvc
SMSCGISVC
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot and post a new HijackThis log
microwaver
2008-05-09, 07:16
Hello,
I have worse infection than when we began.
C:\WINDOWS\system\explorer.exe has been uploaded to UploadMalware.
ComboFix scan has been run and log saved.
But, explorer is unuseable and I cannot reach the log file to attach and in fact am having much trouble getting this reply typed.
Will try again tomorrrow morning]r
regards
microwaver
Rorschach112
2008-05-09, 18:22
It seems the malware has deleted your legit explorer.exe
Try post a new HijackThis log from the PC
microwaver
2008-05-10, 21:09
Finally got a scan completed:
HJT log below,
regards,
microwaver
*********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:12 AM, on 5/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Express Technologies\World Watch\W32ALARM.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\explorer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CU1] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU2] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] wmism23.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CU1] (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: World Watch.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.medhelp.org/images/index/header2.jpg
--
End of file - 4939 bytes
Rorschach112
2008-05-10, 21:30
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] wmism23.exe (User 'SYSTEM')
O15 - Trusted Zone: *.gomyhit.com
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Reboot and do this
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
microwaver
2008-05-11, 03:00
Hello,
scans completed, instructions completed, logs below.
regards,
microwaver
*************
Malwarebytes' Anti-Malware 1.12
Database version: 738
Scan type: Quick Scan
Objects scanned: 48528
Time elapsed: 7 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 46
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\rqRLBuRi.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jkkJyyaY.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f8ec176-48d6-4bfd-92de-7a85ef9f845b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1f8ec176-48d6-4bfd-92de-7a85ef9f845b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{22a6ff82-b3e0-94bb-5fcd-ea067b86810f} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e243a8e7-6244-49e0-a361-22dbf30fd46c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e243a8e7-6244-49e0-a361-22dbf30fd46c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkjyyay (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{80ca71b9-35bd-4826-a0e2-63a6c5c20af1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e243a8e7-6244-49e0-a361-22dbf30fd46c} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlburi -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlburi -> Delete on reboot.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\rqRLBuRi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iRuBLRqr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iRuBLRqr.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2k3.ex~ (Backdoor.Rbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtuuSMc.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcyYPGa.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcAqpqQ.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBtTNHW.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGvTjgF.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkLBtUk.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnkkKaX.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkLeBT.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMffEXn.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHbASK.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqNGWnN.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqRKcAP.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvSlihG.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUnLfGa.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyvtstT.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayvWoNE.dl~ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqQIBUK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMefEtT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXOGAtQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBuVlig.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkHWMDW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkJyyaY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opnlLBQK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcCRJYR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcCUolL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRKCRHw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRLebCR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqNEXnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqQkijk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXPJDtr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcAPGxW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCULec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxxxXP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJAQGaw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJCrOFy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJYpmji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUmjGXP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUmjIyW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccyxUmj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfDwuvs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfEVLFV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfGvvut.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
*************
***main.txt from Deckard*******
Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-10 16:48:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
64: 2008-05-10 23:48:16 UTC - RP411 - Deckard's System Scanner Restore Point
63: 2008-05-10 23:40:35 UTC - RP410 - Last known good configuration
62: 2008-05-10 23:40:30 UTC - RP409 - Last known good configuration
61: 2008-05-10 23:40:30 UTC - RP408 - Last known good configuration
60: 2008-05-10 23:40:30 UTC - RP407 - ComboFix created restore point
-- First Restore Point --
1: 2008-05-10 23:40:26 UTC - RP348 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 448 MiB (512 MiB recommended).
-- HijackThis (run as Owner.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:50 PM, on 5/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Express Technologies\World Watch\W32ALARM.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {1F8EC176-48D6-4BFD-92DE-7A85EF9F845B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {79A85DA4-3440-4847-9BDC-C336969371F9} - (no file)
O2 - BHO: (no name) - {81DB8A88-C074-4F93-B819-80B74BF1498C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CU1] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU2] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CU1] (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: World Watch.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O20 - Winlogon Notify: jkkJyyaY - C:\WINDOWS\
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.medhelp.org/images/index/header2.jpg
--
End of file - 5623 bytes
-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\Desktop\backups\) ---------------
backup-20080510-161849-491 O4 - HKUS\S-1-5-18\..\Run: [Microsoft] wmism23.exe (User 'SYSTEM')
backup-20080510-161849-960 O15 - Trusted Zone: *.gomyhit.com
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - C:\WINDOWS\NOTEPAD.EXE "%1"
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R1 ewido security suite driver - c:\program files\ewido anti-malware\guard.sys
R1 hwinterface - c:\windows\system32\drivers\hwinterface.sys <Not Verified; Logix4u; hwinterface Driver Version 1.1>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S1 Freedom (Freedom Miniport) - c:\windows\system32\drivers\freedom.sys (file missing)
S3 SymEvent - c:\program files\symantec\symevent.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S4 ewido security suite guard - c:\program files\ewido anti-malware\ewidoguard.exe <Not Verified; ewido networks; guard>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2004-04-06 23:27:18 354 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1071991571.job
-- Files created between 2008-04-10 and 2008-05-10 -----------------------------
2008-05-10 16:40:44 1065055 --ahs---- C:\WINDOWS\System32\iRuBLRqr.ini2
2008-05-10 16:27:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-10 16:27:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 20:52:51 373248 -----n--- C:\WINDOWS\System32\rqRLBuRi.dll
2008-05-08 20:12:55 57856 --a------ C:\WINDOWS\System32\vtUlJbxY.dll
2008-05-08 16:35:36 57856 -----n--- C:\WINDOWS\System32\jkkJyyaY.dll
2008-05-06 21:49:58 0 d-------- C:\WINDOWS\ERUNT
2008-05-05 21:57:42 68096 --a------ C:\WINDOWS\zip.exe
2008-05-05 21:57:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-05 21:57:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-05 21:57:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-05 21:57:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-05 21:57:42 98816 --a------ C:\WINDOWS\sed.exe
2008-05-05 21:57:42 80412 --a------ C:\WINDOWS\grep.exe
2008-05-05 21:57:42 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-02 00:42:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 00:42:13 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ESBCalc
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Corel
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ArcSoft
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Apple Computer
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\AOL
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Adobe
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Active Disk
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\accounts payable
2008-04-29 23:14:21 177328 --a------ C:\Documents and Settings\Administrator.PAVILION735N.002\~
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterVideo
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterTrust
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Identities
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Hewlett-Packard
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Help
2008-04-29 23:14:20 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\GTek
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Freedom
2008-04-29 23:14:19 0 d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Microsoft
2008-04-29 23:14:19 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Macromedia
2008-04-29 23:14:18 0 dra------ C:\Documents and Settings\Administrator.PAVILION735N.002\Favorites
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Desktop
2008-04-29 23:14:18 0 d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\Cookies
2008-04-29 23:14:18 0 drah----- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\VERITAS
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Symantec
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Share-to-Web Upload Folder
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\SampleView
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Qfin3
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSNInstaller
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSN6
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Motive
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Templates
2008-04-29 23:14:16 0 dra------ C:\Documents and Settings\Administrator.PAVILION735N.002\Start Menu
2008-04-29 23:14:16 0 drah----- C:\Documents and Settings\Administrator.PAVILION735N.002\SendTo
2008-04-29 23:14:16 0 drah----- C:\Documents and Settings\Administrator.PAVILION735N.002\Recent
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\PrintHood
2008-04-29 23:14:16 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\pcbenv
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\NetHood
2008-04-29 23:14:16 0 dra------ C:\Documents and Settings\Administrator.PAVILION735N.002\My Documents
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Local Settings
2008-04-29 23:14:15 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\WINDOWS
2008-04-29 23:14:15 0 d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\UserData
2008-04-29 23:14:15 2097152 --ah----- C:\Documents and Settings\Administrator.PAVILION735N.002\NTUSER.DAT
2008-04-21 17:17:54 6815744 --a------ C:\Documents and Settings\Owner\ntuser.dat
2008-04-14 17:48:06 0 d-------- C:\Program Files\PentaLogix
-- Find3M Report ---------------------------------------------------------------
2008-04-14 17:48:06 0 d--h----- C:\Program Files\InstallShield Installation Information
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F8EC176-48D6-4BFD-92DE-7A85EF9F845B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79A85DA4-3440-4847-9BDC-C336969371F9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81DB8A88-C074-4F93-B819-80B74BF1498C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 06:42 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 10:42 PM]
"nwiz"="nwiz.exe" [09/09/2002 11:35 PM C:\WINDOWS\system32\nwiz.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [07/06/2001 09:56 PM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 05:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [10/16/2002 07:05 AM]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [06/18/2002 12:11 AM]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/20/2006 01:30 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 02:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [02/03/2008 02:14 PM]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" []
"RegistryMechanic"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 11:08 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 10:03 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CU1"=
"CU2"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/9/2003 7:11:12 PM]
World Watch.lnk - C:\Program Files\Express Technologies\World Watch\W32ALARM.exe [1/29/2008 12:17:20 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoSharedDocuments"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkJyyaY]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
-- End of Deckard's System Scanner: finished at 2008-05-10 16:49:28 ------------
*****extra.txt from Deckard*******
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) XP 2600+
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 447.36 MiB / 186.08 MiB
Pagefile Memory (total/avail): 1058.82 MiB / 881.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.06 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 48.82 GiB total, 25.1 GiB free.
D: is Fixed (FAT32) - 21.63 GiB total, 20.92 GiB free.
E: is Fixed (FAT32) - 4.08 GiB total, 0.74 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
\\.\PHYSICALDRIVE0 - SAMSUNG SV0813H - 74.56 GiB - 3 partitions
\PARTITION0 - Unknown - 4.09 GiB - E:
\PARTITION1 (bootable) - Installable File System - 48.82 GiB - C:
\PARTITION2 - Unknown - 21.64 GiB - D:
\\.\PHYSICALDRIVE1 - eUSB Compact Flash USB Device
\\.\PHYSICALDRIVE2 - eUSB SD-MS-SM USB Device
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PAVILION735N
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
KMP_DUPLICATE_LIB_OK=TRUE
LOGONSERVER=\\PAVILION735N
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor\services;C:\Program Files\Sonic\MyDVD;C:\Program Files\Common Files\Autodesk Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=PAVILION735N
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Owner (admin)
patches
Administrator.PAVILION735N.002 (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {60E971B7-51A0-48CA-8687-C6B8F094A409}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}\setup.exe" -l0x9 -L0x9anything
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{95E1CCAE-8286-4035-B5F7-1B147254A2CB}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4nec2 extension version 5.6.7 --> C:\4nec2\unins001.exe
4nec2 version 5.6.7 --> C:\4nec2\unins000.exe
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Amateur Contact Log 3.0 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ACLog 3.0\ST6UNST.LOG"
Ansoft Designer 2.2 SV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9F87795-BD95-4C25-97A7-027B2117EF41}\Setup.exe" -l0x9
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
AppCAD --> MsiExec.exe /X{19E95B87-3DCE-11D7-9B2F-0060B0F769F5}
ArcSoft Picture Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
AutoCAD 2002 --> MsiExec.exe /I{5783F2D7-0101-0409-0000-0060B0CE6BBA}
AZMap --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\AZMap\UnInst01.log" "/APPNAME=AZMap"
Costco Photo Organizer --> MsiExec.exe /X{BA156277-D012-4509-9F9D-5587357B7207}
CQPWIN105 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\CQPWIN105\ST6UNST.LOG"
CtWin --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A0B6FA8-E6BE-4FA6-87F6-40ADC737D9EF}\setup.exe" -l0x9
Download Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D59B81CF-8558-41E2-AB04-4BA770158AAA}\Setup.exe" -l0x9
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
ewido anti-malware --> C:\Program Files\ewido anti-malware\Uninstall.exe
ExpressPCB --> MsiExec.exe /X{C304ED8D-3752-4F60-84CE-CF9C12D4FBDB}
FastStone Image Viewer 3.4 --> C:\Program Files\FastStone Image Viewer\uninst.exe
Field Day 2.8 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Field Day 2.8\ST6UNST.LOG"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Ham CAP 1.5 --> "C:\Program Files\Afreet\Ham CAP\unins000.exe"
Ham Radio Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DF979D5-464C-4926-AF73-54C1C219F06A}\setup.exe" -l0x9 Remove
Helical --> C:\WINDOWS\Helical Uninstaller.exe
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
hp center --> C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
HP Digital Imaging Album Printing 1.0 --> MsiExec.exe /X{47D4AF7B-EDE6-4ADB-8D2F-0BDA25C7321F}
hp instant support --> C:\PROGRA~1\HEWLET~1\HPINST~1\Uninstall.exe CeS
HP Memories Disc --> MsiExec.exe /X{6CAEFA23-0C08-4899-A661-29D69228AF6D}
HP Photo and Imaging 1.1 - Photosmart Cameras --> MsiExec.exe /X{1EEE2A9F-6471-42fa-8923-E8879168CE26}
Inactive HP Printer Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel(R) Extreme Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
ITS HF Propagation 2006.11.18 --> c:\itshfbc\Setup.exe /remove
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KBD --> C:\HP\KBD\KBD.EXE uninstalled
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Documents and Settings\Owner\Desktop\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MyDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\Setup.exe" -l0x9 -L0x9 /SMAINT
NVIDIA Drivers --> C:\WINDOWS\System32\nvuaudio.exe UninstallGUI
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PCB123 V2 --> "C:\Program Files\PCB123 V2\Uninstall.exe" "C:\Program Files\PCB123 V2\install.log"
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Rugrats Totally Angelica Boredom Buster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D9EA453-3D9F-4EBE-B2D0-4195255FB907}\setup.exe"
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
SD V13.29 --> "C:\SD\unins000.exe"
Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Simple Backup for My Pictures --> MsiExec.exe /I{60E971B7-51A0-48CA-8687-C6B8F094A409}
Simple Installer - Multilanguage Version --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}\setup.exe"
SmartDraw 2007 --> C:\PROGRA~1\SMARTD~1\UNWISE.EXE C:\PROGRA~1\SMARTD~1\install.log
Social Security Benefit Calculator --> MsiExec.exe /I{5E7FC920-890C-4806-A71F-EB768D453DF2}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TinyCAD 2.60.01 --> C:\Program Files\TinyCAD\uninst.exe
toolkit --> c:\Windows\HPTK\unhptkit.exe
Verizon Online --> C:\WINDOWS\System32\VerizonUninstaller.exe
Verizon SmartCall --> C:\PROGRA~1\VERIZO~1\SMARTC~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\SMARTC~1\INSTALL.LOG
ViewMate 10.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD5D60CB-EF42-4919-8FFC-B4594C042611}\setup.exe" -l0x9 -removeonly
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Volo View Express --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Volo View Express\DeIsL1.isu"
W6ELProp --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\W6ELPROP.INF, DefaultUninstall.ntx86
WildTangent Channel Manager --> C:\Program Files\WildTangent\DDC\DDCManager\Uninstall.exe
Windows Media Hotfix - KB895181 --> "C:\WINDOWS\$NtUninstallKB895181$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
World Watch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96AC14CE-2C73-4978-8D20-3ACCC293D746}\Setup.exe" -l0x9
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\common\unypsr.exe
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\common\unyt.exe
-- Application Event Log -------------------------------------------------------
Event Record #/Type7972 / Error
Event Submitted/Written: 05/08/2008 09:07:13 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.
Event Record #/Type7971 / Error
Event Submitted/Written: 05/08/2008 09:07:13 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Event Record #/Type7935 / Error
Event Submitted/Written: 05/08/2008 06:26:28 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2800.1106, faulting module unknown, version 0.0.0.0, fault address 0x6304222e.
Event Record #/Type7934 / Error
Event Submitted/Written: 05/08/2008 06:25:29 PM
Event ID/Source: 1 / Google_Toolbar
Event Description:
Google Toolbar error dump created. ID: 0. Local file: C:\DOCUME~1\Owner\LOCALS~1\Temp\Google_Toolbar4.0.1601.4978_big080508-182526.dmp.
Event Record #/Type7925 / Error
Event Submitted/Written: 05/06/2008 09:47:50 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type16978 / Error
Event Submitted/Written: 05/10/2008 04:46:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The wscsvc service failed to start due to the following error:
%%1083
Event Record #/Type16977 / Error
Event Submitted/Written: 05/10/2008 04:46:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2
Event Record #/Type16968 / Error
Event Submitted/Written: 05/10/2008 04:43:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The wscsvc service failed to start due to the following error:
%%1083
Event Record #/Type16967 / Error
Event Submitted/Written: 05/10/2008 04:43:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2
Event Record #/Type16821 / Error
Event Submitted/Written: 05/10/2008 04:22:42 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The wscsvc service failed to start due to the following error:
%%1083
-- End of Deckard's System Scanner: finished at 2008-05-10 16:49:28 ------------
*************end of reply***********
Rorschach112
2008-05-11, 13:50
Hello
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {1F8EC176-48D6-4BFD-92DE-7A85EF9F845B} - (no file)
O2 - BHO: (no name) - {79A85DA4-3440-4847-9BDC-C336969371F9} - (no file)
O2 - BHO: (no name) - {81DB8A88-C074-4F93-B819-80B74BF1498C} - (no file)
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - (no file)
O20 - Winlogon Notify: jkkJyyaY - C:\WINDOWS\
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\WINDOWS\System32\iRuBLRqr.ini2
C:\WINDOWS\System32\rqRLBuRi.dll
C:\WINDOWS\System32\vtUlJbxY.dll
C:\WINDOWS\System32\jkkJyyaY.dll
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Reboot and post a new DSS log
microwaver
2008-05-11, 23:56
Hello,
Instructions completed and new DSS scan completed.
DSS log below.
Thanks and regards,
microwaver
************
Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-11 13:51:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 448 MiB (512 MiB recommended).
-- HijackThis (run as Owner.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:23 PM, on 5/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Express Technologies\World Watch\W32ALARM.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CU1] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CU2] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CU1] (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: World Watch.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.medhelp.org/images/index/header2.jpg
--
End of file - 5095 bytes
-- Files created between 2008-04-11 and 2008-05-11 -----------------------------
2008-05-10 16:27:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-10 16:27:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 21:49:58 0 d-------- C:\WINDOWS\ERUNT
2008-05-05 21:57:42 68096 --a------ C:\WINDOWS\zip.exe
2008-05-05 21:57:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-05 21:57:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-05 21:57:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-05 21:57:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-05 21:57:42 98816 --a------ C:\WINDOWS\sed.exe
2008-05-05 21:57:42 80412 --a------ C:\WINDOWS\grep.exe
2008-05-05 21:57:42 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-02 00:42:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 00:42:13 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ESBCalc
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Corel
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\ArcSoft
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Apple Computer
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\AOL
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Adobe
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Active Disk
2008-04-29 23:14:21 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\accounts payable
2008-04-29 23:14:21 177328 --a------ C:\Documents and Settings\Administrator.PAVILION735N.002\~
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterVideo
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\InterTrust
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Identities
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Hewlett-Packard
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Help
2008-04-29 23:14:20 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\GTek
2008-04-29 23:14:20 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Freedom
2008-04-29 23:14:19 0 d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Microsoft
2008-04-29 23:14:19 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Macromedia
2008-04-29 23:14:18 0 dra------ C:\Documents and Settings\Administrator.PAVILION735N.002\Favorites
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Desktop
2008-04-29 23:14:18 0 d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\Cookies
2008-04-29 23:14:18 0 drah----- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\VERITAS
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Symantec
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Share-to-Web Upload Folder
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\SampleView
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Qfin3
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSNInstaller
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\MSN6
2008-04-29 23:14:18 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\Application Data\Motive
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Templates
2008-04-29 23:14:16 0 dra------ C:\Documents and Settings\Administrator.PAVILION735N.002\Start Menu
2008-04-29 23:14:16 0 drah----- C:\Documents and Settings\Administrator.PAVILION735N.002\SendTo
2008-04-29 23:14:16 0 drah----- C:\Documents and Settings\Administrator.PAVILION735N.002\Recent
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\PrintHood
2008-04-29 23:14:16 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\pcbenv
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\NetHood
2008-04-29 23:14:16 0 dra------ C:\Documents and Settings\Administrator.PAVILION735N.002\My Documents
2008-04-29 23:14:16 0 d--h----- C:\Documents and Settings\Administrator.PAVILION735N.002\Local Settings
2008-04-29 23:14:15 0 d-------- C:\Documents and Settings\Administrator.PAVILION735N.002\WINDOWS
2008-04-29 23:14:15 0 d---s---- C:\Documents and Settings\Administrator.PAVILION735N.002\UserData
2008-04-29 23:14:15 2097152 --ah----- C:\Documents and Settings\Administrator.PAVILION735N.002\NTUSER.DAT
2008-04-21 17:17:54 6815744 --a------ C:\Documents and Settings\Owner\ntuser.dat
2008-04-14 17:48:06 0 d-------- C:\Program Files\PentaLogix
-- Find3M Report ---------------------------------------------------------------
2008-04-14 17:48:06 0 d--h----- C:\Program Files\InstallShield Installation Information
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 06:42 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 10:42 PM]
"nwiz"="nwiz.exe" [09/09/2002 11:35 PM C:\WINDOWS\system32\nwiz.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [07/06/2001 09:56 PM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 05:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [10/16/2002 07:05 AM]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [06/18/2002 12:11 AM]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/20/2006 01:30 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 02:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [02/03/2008 02:14 PM]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" []
"RegistryMechanic"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 11:08 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 10:03 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CU1"=
"CU2"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/9/2003 7:11:12 PM]
World Watch.lnk - C:\Program Files\Express Technologies\World Watch\W32ALARM.exe [1/29/2008 12:17:20 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoSharedDocuments"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
-- End of Deckard's System Scanner: finished at 2008-05-11 13:51:46 ------------
Rorschach112
2008-05-12, 01:51
Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
microwaver
2008-05-12, 08:49
Hello, and thanks for all your help.
I will install your recommendations, then SP2.
Best regards,
microwaver
Rorschach112
2008-05-12, 17:05
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.