"Ultimate Defender"

**km2357** · 2007-12-27, 05:26

b.) Removed "Logitech Desktop Messenger" from my machine. Could there be a similar program for H-P products?

Sorry, I don't know of any HP products that are similar to Logitech Desktop Messenger.

Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File:: 

C:\WINDOWS\srchasst\srchasst.exe
C:\WINDOWS\srchasst\mui\0409\0409.exe
C:\WINDOWS\srchasst\chars\chars.exe
C:\WINDOWS\Registration\Registration.exe
C:\WINDOWS\pchealth\UploadLB\Config\Config.exe
C:\WINDOWS\pchealth\UploadLB\Binaries\Binaries.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\Unsolicited.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\Email.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\XMLs\XMLs.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\UpdateCtr.exe
C:\WINDOWS\pchealth\helpctr\System\System.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfo.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\graphics.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\47x24pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\33x16pie.exe
C:\WINDOWS\pchealth\helpctr\System\scripts\scripts.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Server.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Client.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\rc\rc.exe
C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\subpanels.exe
C:\WINDOWS\pchealth\helpctr\System\panels\panels.exe
C:\WINDOWS\pchealth\helpctr\System\NetDiag\NetDiag.exe
C:\WINDOWS\pchealth\helpctr\System\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\images\Expando\Expando.exe
C:\WINDOWS\pchealth\helpctr\System\images\Centers\Centers.exe
C:\WINDOWS\pchealth\helpctr\System\images\48x48\48x48.exe
C:\WINDOWS\pchealth\helpctr\System\images\32x32\32x32.exe
C:\WINDOWS\pchealth\helpctr\System\images\24x24\24x24.exe
C:\WINDOWS\pchealth\helpctr\System\images\16x16\16x16.exe
C:\WINDOWS\pchealth\helpctr\System\errors\errors.exe
C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrMsg.exe
C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\DVDUpgrd.exe
C:\WINDOWS\pchealth\helpctr\System\dialogs\dialogs.exe
C:\WINDOWS\pchealth\helpctr\System\css\css.exe
C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatCtr.exe
C:\WINDOWS\pchealth\helpctr\System\blurbs\blurbs.exe
C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\Professional_32#0409.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\OfflineCache.exe
C:\WINDOWS\pchealth\helpctr\Logs\Logs.exe
C:\WINDOWS\pchealth\helpctr\Indices\Indices.exe
C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step # 2 Post Logs

In your next post/reply, I'd like to see the following:

1. ComboFix Log (C:\ComboFix.txt)
2. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.

**newenglandhiker** · 2007-12-27, 15:22

Per your instructions:
I. ComboFix Log, 27Dec07 (after throwing out old ComboFix & downloading new one)
ComboFix 07-12-21.4 - user 2007-12-27 8:47:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.218 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe
C:\WINDOWS\pchealth\helpctr\Indices\Indices.exe
C:\WINDOWS\pchealth\helpctr\Logs\Logs.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\OfflineCache.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\Professional_32#0409.exe
C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe
C:\WINDOWS\pchealth\helpctr\System\blurbs\blurbs.exe
C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatCtr.exe
C:\WINDOWS\pchealth\helpctr\System\css\css.exe
C:\WINDOWS\pchealth\helpctr\System\dialogs\dialogs.exe
C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\DVDUpgrd.exe
C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrMsg.exe
C:\WINDOWS\pchealth\helpctr\System\errors\errors.exe
C:\WINDOWS\pchealth\helpctr\System\images\16x16\16x16.exe
C:\WINDOWS\pchealth\helpctr\System\images\24x24\24x24.exe
C:\WINDOWS\pchealth\helpctr\System\images\32x32\32x32.exe
C:\WINDOWS\pchealth\helpctr\System\images\48x48\48x48.exe
C:\WINDOWS\pchealth\helpctr\System\images\Centers\Centers.exe
C:\WINDOWS\pchealth\helpctr\System\images\Expando\Expando.exe
C:\WINDOWS\pchealth\helpctr\System\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\NetDiag\NetDiag.exe
C:\WINDOWS\pchealth\helpctr\System\panels\panels.exe
C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\subpanels.exe
C:\WINDOWS\pchealth\helpctr\System\rc\rc.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Client.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Server.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\System\scripts\scripts.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\33x16pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\47x24pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\graphics.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfo.exe
C:\WINDOWS\pchealth\helpctr\System\System.exe
C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\UpdateCtr.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\images\images.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\XMLs\XMLs.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\Email.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\Unsolicited.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\UploadLB\Binaries\Binaries.exe
C:\WINDOWS\pchealth\UploadLB\Config\Config.exe
C:\WINDOWS\Registration\Registration.exe
C:\WINDOWS\srchasst\chars\chars.exe
C:\WINDOWS\srchasst\mui\0409\0409.exe
C:\WINDOWS\srchasst\srchasst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe
C:\WINDOWS\pchealth\helpctr\Indices\Indices.exe
C:\WINDOWS\pchealth\helpctr\Logs\Logs.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\OfflineCache.exe
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\Professional_32#0409.exe
C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe
C:\WINDOWS\pchealth\helpctr\System\blurbs\blurbs.exe
C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatCtr.exe
C:\WINDOWS\pchealth\helpctr\System\css\css.exe
C:\WINDOWS\pchealth\helpctr\System\dialogs\dialogs.exe
C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\DVDUpgrd.exe
C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrMsg.exe
C:\WINDOWS\pchealth\helpctr\System\errors\errors.exe
C:\WINDOWS\pchealth\helpctr\System\images\16x16\16x16.exe
C:\WINDOWS\pchealth\helpctr\System\images\24x24\24x24.exe
C:\WINDOWS\pchealth\helpctr\System\images\32x32\32x32.exe
C:\WINDOWS\pchealth\helpctr\System\images\48x48\48x48.exe
C:\WINDOWS\pchealth\helpctr\System\images\Centers\Centers.exe
C:\WINDOWS\pchealth\helpctr\System\images\Expando\Expando.exe
C:\WINDOWS\pchealth\helpctr\System\images\images.exe
C:\WINDOWS\pchealth\helpctr\System\NetDiag\NetDiag.exe
C:\WINDOWS\pchealth\helpctr\System\panels\panels.exe
C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\subpanels.exe
C:\WINDOWS\pchealth\helpctr\System\rc\rc.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Client.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Server.exe
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\helpctr\System\scripts\scripts.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\33x16pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\47x24pie.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\graphics.exe
C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfo.exe
C:\WINDOWS\pchealth\helpctr\System\System.exe
C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\UpdateCtr.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\images\images.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM.exe
C:\WINDOWS\pchealth\helpctr\System_OEM\XMLs\XMLs.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\Css.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Common.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\Email.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\Unsolicited.exe
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Remote Assistance.exe
C:\WINDOWS\pchealth\UploadLB\Binaries\Binaries.exe
C:\WINDOWS\pchealth\UploadLB\Config\Config.exe
C:\WINDOWS\Registration\Registration.exe
C:\WINDOWS\srchasst\chars\chars.exe
C:\WINDOWS\srchasst\mui\0409\0409.exe
C:\WINDOWS\srchasst\srchasst.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-21 11:14 . 2007-12-21 11:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 09:01 . 2007-12-20 09:01 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-20 09:01 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-20 09:01 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-20 09:01 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-20 09:01 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-20 09:01 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-20 09:01 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-20 09:01 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-20 09:01 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-18 13:50 . 2007-12-18 13:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-17 16:12 . 2007-12-17 16:12 396,288 --a------ C:\HijackThis.exe
2007-12-17 13:05 . 2007-12-18 12:45 415 --a------ C:\WINDOWS\wininit.ini
2007-12-17 11:21 . 2007-12-17 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 10:43 . 2007-12-07 11:43 152,388 --a------ C:\WINDOWS\hplj1320.hi1
2007-12-17 10:43 . 2007-12-07 11:43 13,271 --a------ C:\WINDOWS\hplj1320.bu1
2007-12-07 11:43 . 2007-12-07 11:43 <DIR> d-------- C:\WINDOWS\Hewlett-Packard
2007-12-07 11:42 . 2003-06-16 16:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-12-07 11:42 . 2003-07-02 13:15 61,440 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-12-07 11:42 . 2004-03-25 17:30 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-12-07 11:42 . 2003-06-20 12:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-12-07 11:41 . 2007-12-07 11:42 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-12-07 11:39 . 2004-05-21 04:44 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-12-07 09:27 . 2007-12-07 09:27 103 --a------ C:\WINDOWS\system32\hptrace.ini
2007-12-07 09:26 . 2007-12-07 09:26 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-12-07 09:26 . 2007-12-17 10:43 1,788 --a------ C:\WINDOWS\hplj1320.his
2007-12-07 09:26 . 2007-12-17 10:43 356 --a------ C:\WINDOWS\hplj1320.ini
2007-12-07 03:00 . 2007-12-07 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 12:41 . 2007-12-06 12:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\BroadSoft
2007-12-06 12:31 . 2007-12-06 12:31 <DIR> d-------- C:\Program Files\Speakeasy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 20:25 --------- d-----w C:\Program Files\Logitech
2007-12-20 20:57 --------- d-----w C:\Program Files\Google
2007-12-07 16:42 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-08-17 14:11 63,656 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-07-12 19:25 60,968 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{431A60E6-675F-4b9f-B3F0-66E0FECC8B34}]
2007-02-05 10:27 634880 --a------ C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 12:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 12:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 12:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 C:\WINDOWS\KHALMNPR.Exe]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 10:10]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-26 15:57:49]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 08:49:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 8:50:22
C:\ComboFix2.txt ... 2007-12-26 15:55
C:\ComboFix3.txt ... 2007-12-21 10:35
.
2007-12-12 08:03:03 --- E O F ---

- - - Balance to follow in next post - - -

**newenglandhiker** · 2007-12-27, 15:28

- - - Continued from previous post - - -

II. HJT Log, 27Dec07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:19 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_SP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Telephony Toolbar Services - {431A60E6-675F-4b9f-B3F0-66E0FECC8B34} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Telephony Toolbar Call Control - {8F1FF1A7-C048-4d6b-B052-56E42CE427CB} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Call Control - {6F6690B9-C5DB-4F08-8833-F2EF4DEE956B} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll
O3 - Toolbar: Telephony Toolbar Services - {F10D927F-D3DF-4734-98AB-DD258253F5FD} - C:\Program Files\Speakeasy\VoIP Communications Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Dial - C:\Program Files\Speakeasy\VoIP Communications Toolbar\conf\dialIE.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bullhorn.com
O15 - Trusted Zone: *.bullhornstaffing.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172103904203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1172106586828
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6DC776D-9457-4AD2-8C51-02864FE417DD}: NameServer = 66.28.0.45,66.26.0.61
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6567 bytes

Question: The last few times I've started my machine I have been getting the following message: "Windows Firewall has blocked some features of his program. Name: javaw Publisher: unknown." It looks like something out of a Java program, but I'm so paranoid right now I hit "keep blocking" each time and kept it from opening. Is this item actually OK?

- - - End of post - - -

**km2357** · 2007-12-28, 01:59

Question: The last few times I've started my machine I have been getting the following message: "Windows Firewall has blocked some features of his program. Name: javaw Publisher: unknown." It looks like something out of a Java program, but I'm so paranoid right now I hit "keep blocking" each time and kept it from opening. Is this item actually OK?

Javaw is Sun Java's executable and is ok. You can click Unblock the next time the Security Alert windows shows up.

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.

Step # 1 Remove old versions of Java

While you have the latest version of Java installed, older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

J2SE Runtime Environment 5.0 Update 11

Java(TM) SE Runtime Environment 6 Update 1

Java(TM) 6 Update 2

Step # 2 Download AVG Anti-Spyware

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

Click the Update icon at the top and under Manual Update click the Start update button.
The program will either update or inform you that no update was available.
It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).

Please set up the program as follows:

Click the Shield icon at the top and under Resident shield is... click active. This should now
change to inactive.
Click the Update icon and untick the automatic update option.
Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act? - make sure that Quarantine is selected.
- Under How to scan? - All checkboxes should be ticked.
- Under Possibly unwanted software - All checkboxes should be ticked.
- Under Reports - Select Do not automatically generate reports.
- Under What to scan? - Select Scan every file.

Close all open windows.
Do not run a scan yet.

Step # 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step # 4: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Step # 5 Run AVG Anti-Spyware

Click on Scanner on the toolbar.
Click on Complete System Scan to start the scan process.
Let the program scan your computer.
When the scan has finished, follow the instructions below:
- Make sure that Set all elements to: shows Quarantine
- Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
- When the program has finished, it will display the message All actions have been applied.
- Then click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Tray Icon and select Exit.
Reboot your computer.
Now copy the report back to this topic.

Step # 6 Post Logs

In your next post/reply, I'd like to see the following:

1. AVG AntiSpyware Report
2. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.

**newenglandhiker** · 2007-12-28, 16:59

km2357, I will be out of town over New Year's weekend and will do my homework when I get back into town on New Year's Day. Thanks for all your help.

**km2357** · 2007-12-28, 21:52

No problem and thanks for letting me know.

**newenglandhiker** · 2008-01-04, 18:05

km2357, I got tied up since New Year's day with frozen fuel lines in my car (it's been cold here in New England!) and work. will be doing my homework this afternoon. sorry for the delay.

**km2357** · 2008-01-08, 20:20

Newenglandhiker?

Do you still need my help? If any of my instructions were unclear, please let me know.

Thread: "Ultimate Defender"

Thread Tools

Display

Posting Permissions