Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91632 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] HijackThis Log. I've tried everything!


  • This topic is locked This topic is locked
10 replies to this topic

#1 mk12

mk12

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 01 April 2008 - 08:08 AM

I've have used stop-sign.com, pc cleaner, spy-bot, vundofix, atf cleaner. I've tried to remove adware/spyware by scanning safe mode, etc. I am still getting a pop up of security problems, and should I click on it, it goes to 'adsites.' I also continue to get a security screen that pops up saying there is a trogandownloader.

Here's my log if anyone can help!!



Logfile of HijackThis v1.99.1
Scan saved at 8:48:39 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\nchqzaro\jghodqdc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\Imgtask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rcbqxaxo.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC-Cleaner\PC-Cleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tri-West Communications
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [ImgTask] C:\WINDOWS\Imgtask.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0Y8CGU8\install_sbd_en[1].exe
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\onaccess.exe" -erk
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [usouygka] C:\WINDOWS\system32\rcbqxaxo.exe
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [xquttvvo] C:\WINDOWS\system32\epypcxez.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akama...ol/SymDlBrg.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: KbdRunOnce - {080d8244-bea4-4833-aa9b-ca1db624b38e} - C:\WINDOWS\Installer\{080d8244-bea4-4833-aa9b-ca1db624b38e}\KbdRunOnce.dll (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

Edited by mk12, 03 April 2008 - 12:33 AM.

    Advertisements

Register to Remove


#2 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 06 April 2008 - 12:53 PM

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Edited by Blade81, 06 April 2008 - 12:54 PM.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#3 mk12

mk12

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 06 April 2008 - 06:57 PM

I ran combofix and it seemed to go fine. As soon as I was out of the log, another "security center" blue screen popped up advising there is a "problem" that needs to be fixed. See ComboFix log below.

ComboFix 08-04-06.1 - Owner 2008-04-06 19:39:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.722 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scmonitorplink.dll
C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktopblackbird.jpg
C:\Documents and Settings\Owner\Desktopvirii
C:\WINDOWS\a.bat
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\Installer\{080d8244-bea4-4833-aa9b-ca1db624b38e}\KbdRunOnce.dll
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-03 13:49 . 2008-04-03 13:49 106,496 --a------ C:\WINDOWS\system32\vmxyrqpq.exe
2008-04-02 12:31 . 2008-04-02 12:31 98,304 --a------ C:\WINDOWS\system32\nwnajizu.exe
2008-04-02 04:26 . 2008-04-02 04:26 0 --a------ C:\WINDOWS\VPC32.INI
2008-04-01 17:55 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-01 17:55 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-01 17:54 . 2008-04-01 17:54 <DIR> d-------- C:\Program Files\Executive Software
2008-04-01 17:53 . 2008-04-05 22:23 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-04-01 17:53 . 2008-04-06 17:00 <DIR> d-------- C:\Program Files\SecurityCoverage Help and Support Center
2008-04-01 17:53 . 2006-01-05 21:45 19,712 --a------ C:\WINDOWS\system32\drivers\ndisrd.sys
2008-04-01 17:49 . 2008-04-01 17:49 86,016 --a------ C:\WINDOWS\system32\gzgzqnyh.exe
2008-04-01 07:56 . 2008-04-01 07:56 <DIR> d-------- C:\VundoFix Backups
2008-04-01 06:33 . 2008-04-01 06:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-01 06:06 . 2008-04-01 06:06 106,496 --a------ C:\WINDOWS\system32\wbibefed.exe
2008-04-01 04:03 . 2008-04-01 04:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC-Cleaner
2008-03-31 16:48 . 2008-04-01 01:09 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-31 16:45 . 2008-03-31 16:45 <DIR> d-------- C:\WINDOWS\Sun
2008-03-31 16:45 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-31 16:44 . 2008-03-31 16:45 <DIR> d-------- C:\Program Files\Java
2008-03-31 16:43 . 2008-03-31 16:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-31 08:52 . 2008-03-31 08:52 90,112 --a------ C:\WINDOWS\system32\epypcxez.exe
2008-03-31 07:13 . 2008-04-01 17:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-31 07:13 . 2008-04-01 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 03:27 . 2008-03-10 20:14 100,696 --a------ C:\WINDOWS\system32\drivers\fwcore.sys
2008-03-28 18:58 . 2008-03-30 03:29 <DIR> d-------- C:\Program Files\eAcceleration
2008-03-28 08:26 . 2002-07-26 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-03-28 06:32 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-03-28 00:16 . 2008-03-30 18:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC-Cleaner
2008-03-28 00:15 . 2008-04-01 20:01 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-27 23:27 . 2008-03-27 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nchqzaro
2008-03-27 23:27 . 2008-03-27 23:27 110,592 --a------ C:\WINDOWS\system32\rcbqxaxo.exe
2008-03-26 03:00 . 2008-03-26 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-25 14:57 . 2008-03-25 14:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Blackberry Desktop
2008-03-25 14:38 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-25 14:38 . 2004-08-04 00:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-25 14:35 . 2008-03-25 14:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-03-25 14:35 . 2008-03-26 18:56 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-03-25 14:35 . 2008-03-26 18:56 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-03-25 14:35 . 2008-03-25 14:35 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-03-25 14:33 . 2008-03-25 14:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Research In Motion
2008-03-25 14:33 . 2008-03-27 23:56 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-25 14:13 . 2008-03-25 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-25 14:13 . 2008-03-25 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-25 14:07 . 2008-03-25 14:12 <DIR> d-------- C:\Program Files\Roxio
2008-03-25 14:07 . 2008-03-25 14:12 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-25 14:07 . 2008-03-25 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-03-25 13:55 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-03-25 13:53 . 2008-03-25 13:53 <DIR> d-------- C:\Program Files\Research In Motion
2008-03-25 13:53 . 2008-03-25 13:54 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-03-25 13:45 . 2008-03-25 13:45 <DIR> d--hs---- C:\WINDOWS\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 22:55 --------- d-----w C:\Program Files\Symantec
2008-04-01 22:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-30 08:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-03-27 00:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2008-03-25 20:15 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-25 19:09 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-25 19:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-07 12:03 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2008-02-23 13:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 13:52 --------- d-----w C:\Program Files\3D Home Interiors 2.0
2008-02-07 16:36 --------- d-----w C:\Program Files\Coupons
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"EZNXP"="C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe" [2001-12-12 05:39 40960]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 02:55 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"usouygka"="C:\WINDOWS\system32\rcbqxaxo.exe" [2008-03-27 23:27 110592]
"xquttvvo"="C:\WINDOWS\system32\epypcxez.exe" [2008-03-31 08:52 90112]
"ozmidjiw"="C:\WINDOWS\system32\gzgzqnyh.exe" [2008-04-01 17:49 86016]
"SpybotSD TeaTimer"="C:\Program Files\SecurityCoverage Help and Support Center\spywarescan\TeaTimer.exe" [ ]
"qrivvqty"="C:\WINDOWS\system32\nwnajizu.exe" [2008-04-02 12:31 98304]
"uwqdnnpu"="C:\WINDOWS\system32\vmxyrqpq.exe" [2008-04-03 13:49 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"NvCplDaemon"="NvQTwk" []
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 01:11 69632]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 10:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 10:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 05:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 18:39 81920]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 15:05 45056]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-12-10 15:35 323216]
"ImgTask"="C:\WINDOWS\Imgtask.exe" [2006-12-12 22:26 20480]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]
"SBI"="C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0Y8CGU8\install_sbd_en[1].exe" [ ]
"OnAccess"="C:\Program Files\eAcceleration\OnAccess\onaccess.exe" [2008-03-18 16:26 214352]
"eanth_system_patcher"="C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-10-19 22:43 120688]
"SCPopupBlocker"="C:\Program Files\SecurityCoverage Help and Support Center\PopupBlocker.exe" [ ]
"SCControlPanel"="C:\Program Files\SecurityCoverage Help and Support Center\SCControlPanel.exe" [2007-07-18 16:36 1713152]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2003-09-06 16:00:02 189952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DHRoUdiW6Y"= C:\Documents and Settings\All Users\Application Data\nchqzaro\jghodqdc.exe

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{42DD0873-5FA9-465D-90DE-0826020416A5}"= C:\Program Files\eAcceleration\OnAccess\onaccess_hk32.dll [2008-03-18 16:26 161104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"VIDC.WMV3"= wmv9vcm.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StopSignSsFwMon"=Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
"StopSignSsSsMon"=Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
"StopSignSsTsMon"=Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" /b Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=

R0 fwcore;Fwcore Filter;C:\WINDOWS\system32\drivers\fwcore.sys [2008-03-10 20:14]
R1 ndisrd;ndisrd;C:\WINDOWS\system32\drivers\ndisrd.sys [2006-01-05 21:45]
R2 SCMonitor;SecureIT Monitor Service 2.0;C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\SCMonitorService.exe [2007-07-24 21:34]
R2 SCSschedulerService;SecureIT Scheduling Service;C:\Program Files\SecurityCoverage Help and Support Center\SCSchedulerService.exe [2007-07-18 16:37]
S2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" [2008-03-11 15:45]
S2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" [2008-03-11 15:45]
S2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe [2008-03-10 20:14]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{288d7481-b531-11dc-b26a-00402b34c7f8}]
\Shell\AutoRun\command - F:\Imageviewer.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 19:42:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SBI = C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0Y8CGU8\install_sbd_en[1].exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scmonitorplink.dll
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scmonitorplink.dll
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll
.
Completion time: 2008-04-06 19:44:11
ComboFix-quarantined-files.txt 2008-04-07 00:43:46
Pre-Run: 20,251,709,440 bytes free
Post-Run: 20,235,337,728 bytes free
.
2008-03-26 08:00:51 --- E O F ---

#4 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 06 April 2008 - 11:27 PM

Hi


Disable Spybot's TeaTimer
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vmxyrqpq.exe
C:\WINDOWS\system32\nwnajizu.exe
C:\WINDOWS\system32\gzgzqnyh.exe
C:\WINDOWS\system32\wbibefed.exe
C:\WINDOWS\system32\epypcxez.exe
C:\WINDOWS\system32\rcbqxaxo.exe

Folder::
C:\VundoFix Backups
C:\Program Files\PC-Cleaner
C:\Documents and Settings\All Users\Application Data\nchqzaro

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"usouygka"=-
"xquttvvo"=-
"ozmidjiw"=-
"qrivvqty"=-
"uwqdnnpu"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DHRoUdiW6Y"=-


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file & a fresh hjt log in your next reply.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#5 mk12

mk12

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 07 April 2008 - 06:47 AM

Here is the CFScript/ComboFix log.

ComboFix 08-04-06.1 - Owner 2008-04-07 7:36:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.795 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\epypcxez.exe
C:\WINDOWS\system32\gzgzqnyh.exe
C:\WINDOWS\system32\nwnajizu.exe
C:\WINDOWS\system32\rcbqxaxo.exe
C:\WINDOWS\system32\vmxyrqpq.exe
C:\WINDOWS\system32\wbibefed.exe
.
The following files were disabled during the run:
C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scmonitorplink.dll
C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\nchqzaro
C:\Documents and Settings\All Users\Application Data\nchqzaro\jghodqdc.exe
C:\Program Files\PC-Cleaner
C:\Program Files\PC-Cleaner\com\pcsd.dll
C:\VundoFix Backups
C:\WINDOWS\system32\epypcxez.exe
C:\WINDOWS\system32\nwnajizu.exe
C:\WINDOWS\system32\rcbqxaxo.exe
C:\WINDOWS\system32\vmxyrqpq.exe
C:\WINDOWS\system32\wbibefed.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 22:53 . 2008-04-06 22:53 98,304 --a------ C:\WINDOWS\system32\bkxanare.exe
2008-04-02 04:26 . 2008-04-02 04:26 0 --a------ C:\WINDOWS\VPC32.INI
2008-04-01 17:55 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-01 17:55 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-01 17:54 . 2008-04-01 17:54 <DIR> d-------- C:\Program Files\Executive Software
2008-04-01 17:53 . 2008-04-07 07:27 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-04-01 17:53 . 2008-04-07 07:10 <DIR> d-------- C:\Program Files\SecurityCoverage Help and Support Center
2008-04-01 17:53 . 2006-01-05 21:45 19,712 --a------ C:\WINDOWS\system32\drivers\ndisrd.sys
2008-04-01 06:33 . 2008-04-01 06:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-01 04:03 . 2008-04-01 04:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC-Cleaner
2008-03-31 16:48 . 2008-04-01 01:09 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-31 16:45 . 2008-03-31 16:45 <DIR> d-------- C:\WINDOWS\Sun
2008-03-31 16:45 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-31 16:44 . 2008-03-31 16:45 <DIR> d-------- C:\Program Files\Java
2008-03-31 16:43 . 2008-03-31 16:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-31 07:13 . 2008-04-01 17:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-31 07:13 . 2008-04-01 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 03:27 . 2008-03-10 20:14 100,696 --a------ C:\WINDOWS\system32\drivers\fwcore.sys
2008-03-28 18:58 . 2008-03-30 03:29 <DIR> d-------- C:\Program Files\eAcceleration
2008-03-28 08:26 . 2002-07-26 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-03-28 08:26 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-03-28 06:32 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-03-28 00:16 . 2008-03-30 18:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC-Cleaner
2008-03-26 03:00 . 2008-03-26 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-25 14:57 . 2008-03-25 14:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Blackberry Desktop
2008-03-25 14:38 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-25 14:38 . 2004-08-04 00:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-25 14:35 . 2008-03-25 14:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-03-25 14:35 . 2008-03-26 18:56 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-03-25 14:35 . 2008-03-26 18:56 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-03-25 14:35 . 2008-03-25 14:35 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-03-25 14:33 . 2008-03-25 14:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Research In Motion
2008-03-25 14:33 . 2008-03-27 23:56 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-25 14:13 . 2008-03-25 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-25 14:13 . 2008-03-25 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-25 14:07 . 2008-03-25 14:12 <DIR> d-------- C:\Program Files\Roxio
2008-03-25 14:07 . 2008-03-25 14:12 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-25 14:07 . 2008-03-25 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-03-25 13:55 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-03-25 13:53 . 2008-03-25 13:53 <DIR> d-------- C:\Program Files\Research In Motion
2008-03-25 13:53 . 2008-03-25 13:54 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-03-25 13:45 . 2008-03-25 13:45 <DIR> d--hs---- C:\WINDOWS\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 22:55 --------- d-----w C:\Program Files\Symantec
2008-04-01 22:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-30 08:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-03-27 00:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2008-03-25 20:15 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-25 19:09 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-25 19:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-07 12:03 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2008-02-23 13:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 13:52 --------- d-----w C:\Program Files\3D Home Interiors 2.0
2008-02-07 16:36 --------- d-----w C:\Program Files\Coupons
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"EZNXP"="C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe" [2001-12-12 05:39 40960]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 02:55 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"jizjvjvc"="C:\WINDOWS\system32\bkxanare.exe" [2008-04-06 22:53 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"NvCplDaemon"="NvQTwk" []
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 01:11 69632]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 10:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 10:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 05:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 18:39 81920]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 15:05 45056]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-12-10 15:35 323216]
"ImgTask"="C:\WINDOWS\Imgtask.exe" [2006-12-12 22:26 20480]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]
"SBI"="C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0Y8CGU8\install_sbd_en[1].exe" [ ]
"OnAccess"="C:\Program Files\eAcceleration\OnAccess\onaccess.exe" [2008-03-18 16:26 214352]
"eanth_system_patcher"="C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-10-19 22:43 120688]
"SCPopupBlocker"="C:\Program Files\SecurityCoverage Help and Support Center\PopupBlocker.exe" [ ]
"SCControlPanel"="C:\Program Files\SecurityCoverage Help and Support Center\SCControlPanel.exe" [2007-07-18 16:36 1713152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-26 16:22 155648]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2003-09-06 16:00:02 189952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{42DD0873-5FA9-465D-90DE-0826020416A5}"= C:\Program Files\eAcceleration\OnAccess\onaccess_hk32.dll [2008-03-18 16:26 161104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"VIDC.WMV3"= wmv9vcm.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StopSignSsFwMon"=Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
"StopSignSsSsMon"=Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
"StopSignSsTsMon"=Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" /b Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=

R0 fwcore;Fwcore Filter;C:\WINDOWS\system32\drivers\fwcore.sys [2008-03-10 20:14]
R1 ndisrd;ndisrd;C:\WINDOWS\system32\drivers\ndisrd.sys [2006-01-05 21:45]
R2 SCSschedulerService;SecureIT Scheduling Service;C:\Program Files\SecurityCoverage Help and Support Center\SCSchedulerService.exe [2007-07-18 16:37]
S2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" [2008-03-11 15:45]
S2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" [2008-03-11 15:45]
S2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe [2008-03-10 20:14]
S2 SCMonitor;SecureIT Monitor Service 2.0;C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\SCMonitorService.exe [2007-07-24 21:34]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{288d7481-b531-11dc-b26a-00402b34c7f8}]
\Shell\AutoRun\command - F:\Imageviewer.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 07:40:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SBI = C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0Y8CGU8\install_sbd_en[1].exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scmonitorplink.dll
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scmonitorplink.dll
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\Program Files\SecurityCoverage Help and Support Center\SCMonitor\scfirewallplink.dll
.
Completion time: 2008-04-07 7:41:43
ComboFix-quarantined-files.txt 2008-04-07 12:41:20
ComboFix2.txt 2008-04-07 00:44:12
Pre-Run: 20,362,567,680 bytes free
Post-Run: 20,346,232,832 bytes free
.
2008-03-26 08:00:51 --- E O F ---

#6 mk12

mk12

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 07 April 2008 - 08:17 AM

Additionally, here is the malwarebytes log and below that will be the new hj this log.

Malwarebytes' Anti-Malware 1.10
Database version: 598

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 110895
Time elapsed: 47 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{080d8244-bea4-4833-aa9b-ca1db624b38e} (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bkxanare.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\nchqzaro\jghodqdc.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\epypcxez.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nwnajizu.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rcbqxaxo.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vmxyrqpq.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wbibefed.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP20\A0001673.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP20\A0001675.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP20\A0001676.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP20\A0001677.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP20\A0001678.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP20\A0001679.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0001106.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\PC-Cleaner\log.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\PC-Cleaner\settings.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\PC-Cleaner\log.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\PC-Cleaner\settings.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\PC-Cleaner.lnk (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.


HJ This log;

Logfile of HijackThis v1.99.1
Scan saved at 9:13:07 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\Imgtask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SecurityCoverage Help and Support Center\SCControlPanel.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\SCMonitorService.exe
C:\Program Files\SecurityCoverage Help and Support Center\SCSchedulerService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: 216.203.102.48 SC00102
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SECURI~1\SPYWAR~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [ImgTask] C:\WINDOWS\Imgtask.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0Y8CGU8\install_sbd_en[1].exe
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\onaccess.exe" -erk
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SCPopupBlocker] C:\Program Files\SecurityCoverage Help and Support Center\PopupBlocker.exe
O4 - HKLM\..\Run: [SCControlPanel] C:\Program Files\SecurityCoverage Help and Support Center\SCControlPanel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jizjvjvc] C:\WINDOWS\system32\bkxanare.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\quarantine\Redirector.exe.scm
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akama...ol/SymDlBrg.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: KbdRunOnce - {080d8244-bea4-4833-aa9b-ca1db624b38e} - (no file)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureIT Monitor Service 2.0 (SCMonitor) - Unknown owner - C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\SCMonitorService.exe
O23 - Service: SecureIT Scheduling Service (SCSschedulerService) - Unknown owner - C:\Program Files\SecurityCoverage Help and Support Center\SCSchedulerService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe


So far, it appears it worked!! I'm crossing my fingers, and thanking you for all of your help!!!!

#7 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 07 April 2008 - 09:50 AM

Hi

Looks better but still something to do.


Start hjt, do a system scan, check:
O1 - Hosts: 216.203.102.48 SC00102 <--- Do you recognize this? If you do, don't fix it
O4 - HKCU\..\Run: [jizjvjvc] C:\WINDOWS\system32\bkxanare.exe
O4 - Startup: PowerReg Scheduler.exe
O21 - SSODL: KbdRunOnce - {080d8244-bea4-4833-aa9b-ca1db624b38e} - (no file)

Close browsers and other windows. Click fix checked.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBI"=-

It should look like this -> Posted Image

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)


Reboot and post a fresh hjt log.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#8 mk12

mk12

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 07 April 2008 - 05:48 PM

Here is the fresh hj log you requested. I did not delete 01 - Hosts: 216:203.102.48 SC00102, as I do not know what it is for sure!
Also would like to know if after computer is fixed if I can uninstall the things used to fix it, or do you recommend keeping them on in addition to my SecureIT?


Logfile of HijackThis v1.99.1
Scan saved at 6:38:10 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\SCMonitorService.exe
C:\Program Files\SecurityCoverage Help and Support Center\SCSchedulerService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\Imgtask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SecurityCoverage Help and Support Center\SCControlPanel.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: 216.203.102.48 SC00102
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SECURI~1\SPYWAR~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [ImgTask] C:\WINDOWS\Imgtask.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\onaccess.exe" -erk
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SCPopupBlocker] C:\Program Files\SecurityCoverage Help and Support Center\PopupBlocker.exe
O4 - HKLM\..\Run: [SCControlPanel] C:\Program Files\SecurityCoverage Help and Support Center\SCControlPanel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\quarantine\Redirector.exe.scm
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akama...ol/SymDlBrg.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureIT Monitor Service 2.0 (SCMonitor) - Unknown owner - C:\Program Files\SecurityCoverage Help and Support Center\scmonitor\SCMonitorService.exe
O23 - Service: SecureIT Scheduling Service (SCSschedulerService) - Unknown owner - C:\Program Files\SecurityCoverage Help and Support Center\SCSchedulerService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

#9 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 08 April 2008 - 12:59 AM

Also would like to know if after computer is fixed if I can uninstall the things used to fix it, or do you recommend keeping them on in addition to my SecureIT?


Hi

I recommend keeping Malwarebytes Anti-Malware and run it regularly. ComboFix you may delete though.


Reset Teatimer

* Right-click >here< and select "Save as" and save it without changing the name to your desktop
* Double click ResetTeaTimer.bat
* Open Spybot S&D
o Click Mode > check Advanced Mode
o Go to the left Panel and click Tools then, also in left panel, click Resident (OK any firewall prompts)
o Check the box labeled Resident Tea-Timer and OK any prompts
o Use File > Exit to terminate Spybot
* Reboot your machine for the changes to take effect
* You can now delete ResetTeaTimer.bat




Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Next we remove all used tools.

Please download OTMoveIt2 and save it to desktop.
  • Double-click OTMoveIt2.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Download Adaware
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
    The program is available for download here
  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • Download iespyad
    It puts many bad webpages on your restricted zones list. This means that you can still view the
    bad
    webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
    If you need help understanding how it works, there is a tutorial here
    Download it here
  • hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button (at the lower left hand corner of your screen)
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then double-click it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#10 mk12

mk12

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 09 April 2008 - 05:08 AM

It appears as though my troubles are gone!!! I have yet to noticec a problem. I cannot tell you how thankful I am for all of your assistance on this fantastic website!!!! What you guys do is great! I will be sure to pass on how this website works and how wonderful the assistance is! Thank you, mk12

#11 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 09 April 2008 - 06:54 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users