Here's HJT - Do YOU see anything bad here?
Considering that my old notebook is now mashed flat with "yrndlcit.exe" - whatever that is (see http://forums.spybot.info/showthread.php?t=22591 if you're interested; I tried to run Kaspersky on it, but whatever's got it has got it good... IE disappeared without a trace as soon as it started downloading from Kaspersky) - I thought I ought to take a look at my "good" Windows computer, which coexists regularly on my LAN with the definitely infected notebook. I ran the Kaspersky online scan on the good one, and it found (after 3 1/2 hours) a number of things that I'm pretty damn sure are NOT malware along with a few that well may be. This computer isn't manifesting any obvious symptoms yet, and I'd like to keep it that way! This is a computer I got from the local County government's disposal auction (new computers every year or two - nothing is too good or two expensive that it can't be bought with taxpayers' money!). It's been running fine, so I haven't done a heck of a lot to it (I'd love to be someone other than "Sarah", but I haven't been able to change the directory name - got the login changed, but not the directory...).
I never use IE unless absolutely necessary (i.e. for Kaspersky) - it's only showing up here (I think) because I didn't exit after Kaspersky finished.
Here are the Kaspersky and HJT logs... anyone see anything nasty here?
NOPE - Just the HJT - the two together were too big, and tashi says only post the HJT to start and Kaspersky if asked for... so here's the HJT. The Kaspersky said 18 viruses, but quite a few of the listed files were VNC related (ultra and real), and I'm moderately sure they're okay. Several of the others were in backup directories, so although they may be real and nasty, I don't think they're active - if they are, I'm assuming it'll show up in HJT.
Anyway, here's the HJT.
Thanks for looking!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:03 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ciracms.cira.state.tx.us/ips/...gin/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/ser...00046.000000b7
O4 - HKUS\S-1-5-18\..\Run: [Symantec Network Driver Update Warning] c:\program files\symnetdrv\sndwarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec Network Driver Update Warning] c:\program files\symnetdrv\sndwarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: KODAK Software Updater.lnk.disabled
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZSYYYYYYYYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: BlogJet This! - {8CF92EF4-0728-4B2F-B8DD-10B4912E608C} - C:\Documents and Settings\Sarah\Local Settings\Application Data\DiFolders Software\BlogJet\blogthis.js
O9 - Extra 'Tools' menuitem: BlogJet This! - {8CF92EF4-0728-4B2F-B8DD-10B4912E608C} - C:\Documents and Settings\Sarah\Local Settings\Application Data\DiFolders Software\BlogJet\blogthis.js
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1155048161046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155052289171
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761266E2-3218-4E56-9F52-CA0573CC3886}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Winpower - ZeroG Software - C:\PROGRA~1\UpsPilot\Winpower.exe
O23 - Service: Winpowermanager - ZeroG Software - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - ZeroG Software - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - ZeroG Software - C:\PROGRA~1\UpsPilot\wpRMI.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
--
End of file - 8562 bytes
