Credit card number theft, slow mouse response, CD burner failure & more [Archive]

View Full Version : Credit card number theft, slow mouse response, CD burner failure & more

atmo_man

2006-11-19, 02:26

I hope you can help. I have been dealing for months with an often slow and unresponsive mouse, failures in CD burning, and an inability to shutdown or restart my PC without performing a cold boot. I recently found an unauthorized charge on my credit card (which has since been reported stolen) and suspected some form of keylogger as the culprit since I had just not long ago conducted a transaction with a reputable online retailer on this PC.

I have followed the instructions in the "BEFORE you POST" sticky to the letter and the HijackThis and online virus scan (run using eTrust Antivirus Web Scanner) logs have been pasted below.

Please help if you can! Many thanks!

Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 6:00:41 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\AntiSpyWare\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/07e5c92e2d1436b79902/netzip/RdxIE2.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

eTrust Antivirus Web Scanner log:

Scan Results: 142162 files scanned. 4 viruses were detected.

File Infection Status Path
Animae.class-708c5f2f-6ff35056.class Java/ByteVerify!exploit infected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
Animan.class-2538e1c0-14927507.class Java/ByteVerify!exploit infected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfge.class-47275ab6-2c0ddef6.class Java/Shinwow.BD infected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfgn.class-4b4439b7-12f3772c.class Java/Shinwow.BD infected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\

LonnyRJones

2006-11-26, 01:06

Welcome

Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - SOFTWARE - (no file)
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Optional items >
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
click the first download button (version with grapichal user interface)
Download/save (not open) and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

atmo_man

2006-11-26, 23:48

Thanks for your reply, Lonny.

The four items you identified were found by HijackThis. I opted to have it fix all four of them and restarted my computer per your instructions.

I downloaded and ran F-Secure Blacklight. It did not find any files. I included the log it created below.

I also downloaded and ran ComboFix and ran it and the log it created appears after the Blacklight log below.

= = = = = = = = = = = = = =

Blacklight log:

11/26/06 14:22:34 [Info]: BlackLight Engine 1.0.47 initialized
11/26/06 14:22:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/26/06 14:22:35 [Note]: 7019 4
11/26/06 14:22:35 [Note]: 7005 0
11/26/06 14:22:53 [Note]: 7006 0
11/26/06 14:22:53 [Note]: 7011 2000
11/26/06 14:22:53 [Note]: 7026 0
11/26/06 14:22:53 [Note]: 7026 0
11/26/06 14:23:09 [Note]: FSRAW library version 1.7.1020
11/26/06 14:44:17 [Note]: 2000 1012
11/26/06 14:44:17 [Note]: 2000 1012
11/26/06 14:51:37 [Note]: 7007 0

= = = = = = = = = = = = = =

ComboFix log:

Owner - 06-11-26 14:54:02.37 Service Pack 2
ComboFix 06.11.26 - Running from: "C:\AntiSpyWare"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Owner\Application Data\Install.dat

((((((((((((((((((((((((((((((( Files Created from 2006-10-26 to 2006-11-26 ))))))))))))))))))))))))))))))))))

2006-11-18 17:55 <DIR> d-------- C:\AntiSpyWare
2006-11-16 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-16 03:00 <DIR> d-------- C:\4bc08c6c846392effee7c5e5
2006-11-09 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2006-11-09 21:11 <DIR> d-------- C:\Program Files\Maxtor
2006-11-09 20:27 <DIR> d-------- C:\Program Files\Windows Defender
2006-11-08 18:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-15 19:17 -------- d-------- C:\Program Files\Internet Explorer
2006-11-08 22:34 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-08 18:48 -------- d-------- C:\Program Files\Lavasoft
2006-10-17 07:20 -------- d-------- C:\Program Files\Google
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"TPP Auto Loader"="C:\\WINDOWS\\tppaldr.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"MaxtorOneTouch"="C:\\Program Files\\Maxtor\\OneTouch\\utils\\Onetouch.exe"
@=""
"mxomssmenu"="\"C:\\Program Files\\Maxtor\\OneTouch Status\\maxmenumgr.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Device Detector 2.lnk"
"backup"="C:\\WINDOWS\\pss\\Device Detector 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Olympus\\DEVICE~1\\DevDtct2.exe "
"item"="Device Detector 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp center UI.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center UI.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Shadow\\SHADOW~1.EXE -STARTUP"
"item"="hp center UI"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp center.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Program\\BACKWE~1.EXE -startup"
"item"="hp center"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MeowPal.LNK]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\MeowPal.LNK"
"backup"="C:\\WINDOWS\\pss\\MeowPal.LNKStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Owner\\My Documents\\MeowPal.exe MeowPal"
"item"="MeowPal"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCActiveMenu"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\ActiveMenu\\DDCActiveMenu.exe\" -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCMan"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\DDCManager\\DDCMan.exe\" -Background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\easywww]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="easywww2"
"hkey"="HKLM"
"command"="C:\\windows\\easywww2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internat Conf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bootconf"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\bootconf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Cfgwiz"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="setup"
"hkey"="HKLM"
"command"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\redirect]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="redirect7"
"hkey"="HKLM"
"command"="C:\\windows\\redirect7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3apphk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S3apphk"
"hkey"="HKLM"
"command"="S3apphk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_01\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="evntsvc"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AutoStarterR"
"hkey"="HKLM"
"command"="C:\\Program Files\\Zero Knowledge\\Freedom\\AutoStarterR.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061126-141157-645
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
backup-20061126-141156-105
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
backup-20061126-141156-470
O2 - BHO: (no name) - SOFTWARE - (no file)
backup-20061126-141156-325
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-26 14:56:00.75
C:\ComboFix.txt ... 06-11-26 14:56

LonnyRJones

2006-11-27, 07:49

Not seeing anything but obsolete startups, Items you have disabled.

If you would like to remove them:
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Windows Registry Editor Version 5.00
;
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\easywww]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internat Conf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\redirect]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3apphk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This Scanner is for Internet Explorer Only!

Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

atmo_man

2006-11-30, 16:51

I ran the registry fix as you suggested.

I also ran the F-Secure Online Scanner as you suggested, but I ran into a problem. After the scan was done and I selected the automatic cleaning option, it indicated that there were 11 problems to fix. It began fixing problems and I left my computer for an hour. When I returned it was on 3 of 11, so I went away for another hour and when I returned it was still on 3 of 11. At that point I opted to cancel the cleaning, since I thought it had gotten stuck, and thought I would run the scan again. After I cancelled the cleaning there was an option to Show Report, but I foolishly did not look at it or save it. Instead I ran the scan again and when it was complete it indicated that there were no problems to fix.

What should I do now?

LonnyRJones

2006-11-30, 18:57

Im glad you ran the scan again and that nothing was found.

Are there any current problems ?

Lets check for rootkits
Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
click the first download button (version with grapichal user interface)
Download/save (not open) and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

atmo_man

2006-12-01, 04:04

I guess the main problem I can see that still exists is that I continue to have instances of FirewallDisableNotify and VirusScanDisableNotify when I run Search & Destroy and I haven't done anything to disable them myself. Each time I choose to repair these items but they keep resurfacing. There's obviously something in the registry that's not getting cleaned.

I still had Blacklight downloaded from when you told me to download it before, so I ran it again and it found no files. The log is below:

11/26/06 14:22:34 [Info]: BlackLight Engine 1.0.47 initialized
11/26/06 14:22:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/26/06 14:22:35 [Note]: 7019 4
11/26/06 14:22:35 [Note]: 7005 0
11/26/06 14:22:53 [Note]: 7006 0
11/26/06 14:22:53 [Note]: 7011 2000
11/26/06 14:22:53 [Note]: 7026 0
11/26/06 14:22:53 [Note]: 7026 0
11/26/06 14:23:09 [Note]: FSRAW library version 1.7.1020
11/26/06 14:44:17 [Note]: 2000 1012
11/26/06 14:44:17 [Note]: 2000 1012
11/26/06 14:51:37 [Note]: 7007 0

Any other ideas?

LonnyRJones

2006-12-01, 04:15

I think its mcafee takes over for windows security center.

If there are no apperent problems with your antivirus Have SpyBot ignore the
"Windows Security Center"

FAQ, Why does Spybot-S&D flag changes in the Windows Security Center:
http://www.safer-networking.org/en/faq/46.html
"Windows Security Center"
Please see comment by md usa spybot fan here
http://forums.spybot.info/showthread.php?t=250

LonnyRJones

2006-12-11, 12:23

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

LonnyRJones

2006-12-11, 12:23

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).