please help

[gpercle]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:44 AM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\fadet\atisvc_wyiyhqmxe.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\fadet\atisvc_wyiyhqmxe.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\wpsscannersvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: atisvc_wyiyhqmxe - Unknown owner - C:\WINDOWS\system32\fadet\atisvc_wyiyhqmxe.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WPS Wi-Fi Scanner Service (wpsscannersvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\wpsscannersvc.exe
O24 - Desktop Component 0: (no name) - http://by136fd.bay136.hotmail.msn.co...842&mimepart=5

--
End of file - 8109 bytes

[Shaba]

Hi gpercle

I'd like you to check a file for malware.

• Go to VirusTotal or Jotti's

C:\WINDOWS\system32\fadet\atisvc_wyiyhqmxe.exe

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Save the complete results in a Notepad/Word document on your desktop.
• Post back results here, please.

[gpercle]

Well Im fixing this computer for a girl friend of mine. She was told by her ex-Boyfriends ex-wife that he put a program on her computer to get screen shots and passwords. So he's been spying on her and getting into all her personal banks accounts and what not. So the only thing that looked fishy to me was that file you wanted me to upload......so I wanted to get her computer back to her.....so I fixed those line items with hjt. I'll check tonight to see if it still resides on her pc if so I will upload.If not guess we can rule that out.

[gpercle]

File atisvc_wyiyhqmxe.exe received on 03.12.2009 02:24:35 (CET)
Current status: finished
Result: 0/39 (0%)
Compact
Print results
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:



Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.11 -
AhnLab-V3 5.0.0.2 2009.03.11 -
AntiVir 7.9.0.109 2009.03.11 -
Authentium 5.1.0.4 2009.03.11 -
Avast 4.8.1335.0 2009.03.11 -
AVG 8.0.0.237 2009.03.12 -
BitDefender 7.2 2009.03.12 -
CAT-QuickHeal 10.00 2009.03.11 -
ClamAV 0.94.1 2009.03.11 -
Comodo 1049 2009.03.11 -
DrWeb 4.44.0.09170 2009.03.12 -
eSafe 7.0.17.0 2009.03.11 -
eTrust-Vet None 2009.03.09 -
F-Prot 4.4.4.56 2009.03.11 -
F-Secure 8.0.14470.0 2009.03.11 -
Fortinet 3.117.0.0 2009.03.11 -
GData 19 2009.03.12 -
Ikarus T3.1.1.45.0 2009.03.12 -
K7AntiVirus 7.10.667 2009.03.11 -
Kaspersky 7.0.0.125 2009.03.12 -
McAfee 5550 2009.03.11 -
McAfee+Artemis 5550 2009.03.11 -
Microsoft 1.4405 2009.03.11 -
NOD32 3929 2009.03.11 -
Norman 6.00.06 2009.03.11 -
nProtect 2009.1.8.0 2009.03.11 -
Panda 10.0.0.10 2009.03.12 -
PCTools 4.4.2.0 2009.03.11 -
Prevx1 V2 2009.03.12 -
Rising 21.20.22.00 2009.03.11 -
SecureWeb-Gateway 6.7.6 2009.03.11 -
Sophos 4.39.0 2009.03.11 -
Sunbelt 3.2.1858.2 2009.03.12 -
Symantec 1.4.4.12 2009.03.12 -
TheHacker 6.3.3.0.279 2009.03.11 -
TrendMicro 8.700.0.1004 2009.03.11 -
VBA32 3.12.10.1 2009.03.11 -
ViRobot 2009.3.11.1645 2009.03.11 -
VirusBuster 4.5.11.0 2009.03.11 -
Additional information
File size: 416579 bytes
MD5...: 702abd84e255bf699c2daa165359b5bb
SHA1..: 83c5808d84d49d5883f830e1d23bf615ae81f88d
SHA256: a191f0b117dd567e06f16df49727ef4185a61e11c165badc5509dc25c14b7156
SHA512: d6a61dac12ddad11c14bfce8e2f1cd14f66c85381dc23b9035cb04264138ff1a
9116092b59c91c93c118735b81cb879893adb0bfb365130c2818038430d4c9b7
ssdeep: 6144:WxqjUubetNb99PiHtAoxgLas656GGDx6GGDx6GGDxdGI:WxAyxUHt5eLaL6
GGDx6GGDx6GGDxdGI
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14b5d
timedatestamp.....: 0x49219c5b (Mon Nov 17 16:31:23 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4c31c 0x4d000 6.63 ccbabcccf1df07b8f7cc7ba40fab78dc
.rdata 0x4e000 0xc034 0xd000 4.85 4328653e718d2097788f6f3434ccafb4
.data 0x5b000 0x3ecc 0x2000 3.09 bb61302ef570667ea80c3eb093426ff1
.rsrc 0x5f000 0x3c8 0x1000 3.68 99c6bf242b5e563081458eb7ac56ad44

( 11 imports )
> KERNEL32.dll: VirtualFreeEx, VirtualAllocEx, DeleteFileW, SetFileAttributesW, CreateProcessW, GetTickCount, WriteFile, CreateFileW, ExpandEnvironmentStringsW, CreateDirectoryW, lstrcatW, GetSystemTime, ReadFile, GetFileSize, GlobalUnlock, GlobalLock, CreateRemoteThread, GetTempFileNameW, GetTempPathW, OpenEventW, QueryDosDeviceW, GetSystemDirectoryW, WaitForMultipleObjects, FreeEnvironmentStringsW, GetEnvironmentStrings, lstrlenA, GetExitCodeThread, GetTimeZoneInformation, LoadLibraryW, FindResourceExW, CreateFileMappingW, OpenFileMappingW, CreateMutexW, CreateSemaphoreW, MapViewOfFile, UnmapViewOfFile, LockResource, WideCharToMultiByte, SetUnhandledExceptionFilter, SetErrorMode, GetCommandLineW, GetCurrentThreadId, TerminateThread, GetExitCodeProcess, GetCurrentProcessId, CreateToolhelp32Snapshot, Process32FirstW, ProcessIdToSessionId, OpenProcess, Process32NextW, WaitForSingleObject, CreateEventW, LoadLibraryExW, FindResourceW, LoadResource, SizeofResource, TerminateProcess, lstrcmpiW, InterlockedIncrement, LeaveCriticalSection, EnterCriticalSection, FreeLibrary, HeapAlloc, GetCurrentThread, GetCurrentProcess, RaiseException, CloseHandle, MultiByteToWideChar, SetEvent, GetModuleFileNameW, lstrcpyW, lstrcpynW, GetModuleHandleW, GetProcAddress, GetProcessHeap, HeapFree, GetComputerNameW, lstrlenW, LocalFree, GetVersionExW, InterlockedDecrement, GetLastError, DeleteCriticalSection, InitializeCriticalSection, GlobalSize, InterlockedExchangeAdd, ReleaseSemaphore, ReleaseMutex, GlobalAlloc, GlobalReAlloc, FreeEnvironmentStringsA, GlobalFree, SetEnvironmentVariableA, CompareStringW, CompareStringA, FlushFileBuffers, CreateFileA, GetLocaleInfoW, WriteConsoleW, GetConsoleOutputCP, LCMapStringW, LCMapStringA, Sleep, IsValidCodePage, GetOEMCP, GetCPInfo, SetLastError, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetModuleFileNameA, GetStdHandle, ExitProcess, GetModuleHandleA, VirtualAlloc, FatalAppExitA, VirtualFree, HeapCreate, GetStartupInfoW, GetSystemTimeAsFileTime, CreateThread, ExitThread, IsDebuggerPresent, WriteConsoleA, SetStdHandle, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, GetDateFormatA, GetTimeFormatA, GetStringTypeW, GetStringTypeA, LoadLibraryA, SetConsoleCtrlHandler, GetConsoleMode, GetConsoleCP, SetFilePointer, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, GetCommandLineA, UnhandledExceptionFilter, RtlUnwind, HeapSize, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, HeapDestroy, HeapReAlloc, GetEnvironmentStringsW
> USER32.dll: UnregisterClassA, GetWindowThreadProcessId, IsWindow, TranslateMessage, MessageBoxW, CharLowerW, CharNextW, PostThreadMessageW, CharLowerBuffW, DispatchMessageW, MsgWaitForMultipleObjects, GetParent, PeekMessageW, wsprintfW
> ADVAPI32.dll: RegDeleteKeyW, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptGetHashParam, CryptDestroyHash, CryptReleaseContext, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, DuplicateTokenEx, SetTokenInformation, LookupPrivilegeValueW, AdjustTokenPrivileges, CreateProcessAsUserW, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, CreateServiceW, RegGetKeySecurity, RegOpenKeyW, RegSetKeySecurity, RegQueryValueExW, OpenThreadToken, OpenProcessToken, SetServiceStatus, StartServiceW, ControlService, DeleteService, OpenSCManagerW, OpenServiceW, CloseServiceHandle, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, SetSecurityDescriptorDacl, LookupAccountNameW, ConvertSidToStringSidW, GetTokenInformation, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, IsValidSid, GetLengthSid, CopySid, RegOpenKeyExW, RegCloseKey, CryptEncrypt, CryptDecrypt, CryptDestroyKey, CryptDeriveKey
> ole32.dll: CoRevokeClassObject, CoRegisterClassObject, CoUninitialize, CoInitializeEx, CoInitialize, CoTaskMemRealloc, CoCreateInstance, CoTaskMemFree, StringFromCLSID, GetHGlobalFromStream, CreateStreamOnHGlobal, CoRegisterPSClsid, CoInitializeSecurity, CoTaskMemAlloc
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathRemoveFileSpecW, PathFileExistsW, PathStripPathW, PathAppendW, SHCreateStreamOnFileW
> RPCRT4.dll: UuidCreate
> USERENV.dll: CreateEnvironmentBlock, DestroyEnvironmentBlock
> PSAPI.DLL: EnumProcessModules, GetModuleFileNameExW, GetModuleBaseNameW
> WTSAPI32.dll: WTSFreeMemory, WTSCloseServer, WTSQuerySessionInformationW, WTSOpenServerW
> NETAPI32.dll: NetWkstaUserEnum, NetApiBufferFree

( 0 exports )

[gpercle]

about top scan I used both sites neither one came up with anything...also I noticed in the folder where the exe file is located there is a setup.exe and I think all of these files belong to some skyhook wirless thing...

thx

[Shaba]

Which entries you fixed with HijackThis?

Please tell me also which other files are in C:\WINDOWS\system32\fadet folder?

[Shaba]

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.