Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] xp infected with trojans 35 pakes & win32 agent cy


  • This topic is locked This topic is locked
16 replies to this topic

#1 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 20 May 2008 - 10:36 AM

have major problems with pop ups and system changes.need advice on what to do. done hjt scan. what next ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, May 20, 2008 6:14:33 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 19/05/2008 Kaspersky Anti-Virus database records: 786008 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 134585 Number of viruses found: 9 Number of infected objects: 18 Number of suspicious objects: 0 Duration of the scan process: 03:01:41 Infected Object Name / Virus Name / Last Action C:\805523f8bc117d1929\$shtdwn$.req Object is locked skipped C:\805523f8bc117d1929\common\eula.txt Object is locked skipped C:\805523f8bc117d1929\common\spcustom.dll Object is locked skipped C:\805523f8bc117d1929\common\spmsg.dll Object is locked skipped C:\805523f8bc117d1929\common\spuninst.exe Object is locked skipped C:\805523f8bc117d1929\common\update.exe Object is locked skipped C:\805523f8bc117d1929\sp1\ara\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ara\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\chs\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\chs\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\cht\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\cht\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\csy\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\csy\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\dan\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\dan\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\deu\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\deu\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ell\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ell\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\esn\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\esn\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\fin\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\fin\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\fra\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\fra\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\heb\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\heb\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\helpctr.exe Object is locked skipped C:\805523f8bc117d1929\sp1\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\hscupd.exe Object is locked skipped C:\805523f8bc117d1929\sp1\hscxpsp1.cab Object is locked skipped C:\805523f8bc117d1929\sp1\hun\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\hun\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ita\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ita\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\jpn\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\jpn\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\kor\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\kor\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\nld\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\nld\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\nor\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\nor\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\plk\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\plk\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ptb\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ptb\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ptg\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\ptg\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\rus\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\rus\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\sve\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\sve\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\trk\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp1\trk\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp1\update\kb840374.cat Object is locked skipped C:\805523f8bc117d1929\sp1\update\update.inf Object is locked skipped C:\805523f8bc117d1929\sp1\update\update.ver Object is locked skipped C:\805523f8bc117d1929\sp2\ara\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ara\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\chs\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\chs\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\cht\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\cht\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\csy\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\csy\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\dan\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\dan\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\deu\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\deu\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ell\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ell\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\esn\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\esn\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\fin\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\fin\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\fra\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\fra\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\heb\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\heb\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\helpctr.exe Object is locked skipped C:\805523f8bc117d1929\sp2\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\hscupd.exe Object is locked skipped C:\805523f8bc117d1929\sp2\hun\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\hun\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ita\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ita\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\jpn\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\jpn\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\kor\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\kor\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\nld\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\nld\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\nor\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\nor\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\plk\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\plk\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ptb\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ptb\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ptg\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\ptg\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\rus\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\rus\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\spmsg.dll Object is locked skipped C:\805523f8bc117d1929\sp2\spuninst.exe Object is locked skipped C:\805523f8bc117d1929\sp2\sve\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\sve\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\trk\hsc.system.errors.connection.htm.cab Object is locked skipped C:\805523f8bc117d1929\sp2\trk\hsc.system.scripts.common.js.cab Object is locked skipped C:\805523f8bc117d1929\sp2\update\eula.txt Object is locked skipped C:\805523f8bc117d1929\sp2\update\kb840374.cat Object is locked skipped C:\805523f8bc117d1929\sp2\update\spcustom.dll Object is locked skipped C:\805523f8bc117d1929\sp2\update\update.exe Object is locked skipped C:\805523f8bc117d1929\sp2\update\update.inf Object is locked skipped C:\805523f8bc117d1929\sp2\update\update.ver Object is locked skipped C:\805523f8bc117d1929\xpsp1hfm.exe Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05182008-091114.log Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\Owner\Application Data\Motive\Acme\plugin\log\pchbtn.log Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AB92DB55-F04D-4E7F-A87F-E7F4BCA8356C} Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008051920080520\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\ mon001.log Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\MPSampleSubmit\~.exe.xor Infected: Trojan.Win32.Agent.cyt skipped C:\Documents and Settings\Owner\Local Settings\Temp\NER12.tmp\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFD64B.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFD66D.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFD76C.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\91OY3LE5\index[1].htm Infected: Trojan.JS.Pakes.l skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\A5853EY1\XPantivirus2008_v880062[1].exe Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JVW1TMFW\rld[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped C:\Program Files\blueyonder IST\log\mpbtn.log Object is locked skipped C:\Program Files\blueyonder IST\SmartBridge\AlertFilter.log Object is locked skipped C:\Program Files\blueyonder IST\SmartBridge\log\httpclient.log Object is locked skipped C:\Program Files\blueyonder IST\SmartBridge\SmartBridge.log Object is locked skipped C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Anytime\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Anytime\SignupLt.exe CAB: infected - 1 skipped C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Reinstall\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Reinstall\SignupLt.exe CAB: infected - 1 skipped C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Standard\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped C:\Program Files\Online Services\BTopenworldAnytime\Narrowband\Signup\Standard\SignupLt.exe CAB: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{DE26ADE1-E7AF-415B-AA1F-B0F1DBFF538C}\RP1407\A0208188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped C:\System Volume Information\_restore{DE26ADE1-E7AF-415B-AA1F-B0F1DBFF538C}\RP1407\A0208190.exe Infected: Trojan.Win32.Agent.cyt skipped C:\System Volume Information\_restore{DE26ADE1-E7AF-415B-AA1F-B0F1DBFF538C}\RP1410\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Downloaded Program Files\btmailcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.g skipped C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.f skipped C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped C:\WINDOWS\mpcodecplg.dll Infected: not-a-virus:AdWare.Win32.Agent.acl skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\ewjcboeg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\toyyoaup.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped Scan process completed.

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 26 May 2008 - 05:23 PM

Hello chumpynuts

Welcome to the Whatthetech Malware Removal Forum, Your posting all over the forum and we cant keep track of you, reply to this thread only by using the ADD REPLY and DO NOT START ANY NEW TOPICS

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#3 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 26 May 2008 - 11:23 PM

here we go with hjt. Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:21 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\gdpwafev.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {29f03acc-f47e-36da-0f54-93bbac0f34ec} - {ce43f0ca-bb39-45f0-ad63-e74fcca30f92} - C:\WINDOWS\system32\fvcbohth.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Services] lsrv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Services] lsrv.exe (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123515216000
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/...ewer/isetup.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

--
End of file - 9154 bytes

#4 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 27 May 2008 - 02:56 AM

Hello,

You have quite a few infections on your system, this is going to take running a few tools to fix.

For this tool to be effective it has to be run from Safemode.

To Enter Safemode

  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode





Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#5 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 27 May 2008 - 11:15 AM

hi ken heres the sdfix log i will post hjt log next.
SDFix: Version 1.186
Run by Owner on Tue 05/27/2008 at 05:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TFTP1524 - Deleted
C:\WINDOWS\system32\TFTP1744 - Deleted
C:\WINDOWS\system32\TFTP1908 - Deleted
C:\WINDOWS\system32\TFTP2088 - Deleted
C:\WINDOWS\system32\TFTP2108 - Deleted
C:\WINDOWS\system32\TFTP2148 - Deleted
C:\WINDOWS\system32\TFTP2232 - Deleted
C:\WINDOWS\system32\TFTP232 - Deleted
C:\WINDOWS\system32\TFTP2432 - Deleted
C:\WINDOWS\system32\TFTP2760 - Deleted
C:\WINDOWS\system32\TFTP2844 - Deleted
C:\WINDOWS\system32\TFTP2864 - Deleted
C:\WINDOWS\system32\TFTP2880 - Deleted
C:\WINDOWS\system32\TFTP2980 - Deleted
C:\WINDOWS\system32\TFTP2996 - Deleted
C:\WINDOWS\system32\TFTP3032 - Deleted
C:\WINDOWS\system32\TFTP3132 - Deleted
C:\WINDOWS\system32\TFTP3212 - Deleted
C:\WINDOWS\system32\TFTP3240 - Deleted
C:\WINDOWS\system32\TFTP3268 - Deleted
C:\WINDOWS\system32\TFTP3376 - Deleted
C:\WINDOWS\system32\TFTP340 - Deleted
C:\WINDOWS\system32\TFTP3464 - Deleted
C:\WINDOWS\system32\TFTP4092 - Deleted
C:\WINDOWS\system32\TFTP560 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 17:52:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphver05.exe"="C:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphver05.exe:*:Disabled:About"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Disabled:btdownloadgui"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\BitComet\\Downloads\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\Downloads\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime Essentials"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jun 2004 196 A.SHR --- "C:\BOOT.BAK"
Thu 6 Sep 2001 1,700,352 A..H. --- "C:\gdiplus.dll"
Thu 15 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 20 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 8 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe"
Sun 8 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe"
Sun 8 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe"
Sun 8 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe"
Sun 8 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe"
Sun 8 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe"
Sun 8 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe"
Sun 8 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe"
Sun 8 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe"
Sun 8 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe"
Sun 8 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe"
Wed 11 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe"
Sun 8 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe"
Sun 8 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe"
Wed 11 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe"
Sun 8 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe"
Sun 8 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe"
Sun 8 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe"
Sun 8 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe"
Sun 8 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe"
Sun 8 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe"
Sun 8 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe"
Sun 8 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe"
Sun 8 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe"

Finished!

#6 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 27 May 2008 - 11:18 AM

hi ken here is the hjt log.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:51 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\gdpwafev.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {29f03acc-f47e-36da-0f54-93bbac0f34ec} - {ce43f0ca-bb39-45f0-ad63-e74fcca30f92} - C:\WINDOWS\system32\fvcbohth.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Services] lsrv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Services] lsrv.exe (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123515216000
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/...ewer/isetup.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

--
End of file - 9127 bytes

#7 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 27 May 2008 - 11:43 AM

Hey,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\gdpwafev.dll
O2 - BHO: {29f03acc-f47e-36da-0f54-93bbac0f34ec} - {ce43f0ca-bb39-45f0-ad63-e74fcca30f92} - C:\WINDOWS\system32\fvcbohth.dll

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Services] lsrv.exe (User 'SYSTEM') G
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Services] lsrv.exe (User 'Default user')




Please download OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\gdpwafev.dll
    C:\WINDOWS\system32\fvcbohth.dll
    C:\Windows\System32\lsrv.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.


Post the OTMoveIt log, the Malwarebytes log and a New HJT log.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#8 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 27 May 2008 - 03:25 PM

hi ken here is the OTMoveit log
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gdpwafev.dll
C:\WINDOWS\system32\gdpwafev.dll NOT unregistered.
C:\WINDOWS\system32\gdpwafev.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fvcbohth.dll
C:\WINDOWS\system32\fvcbohth.dll NOT unregistered.
C:\WINDOWS\system32\fvcbohth.dll moved successfully.
File/Folder C:\Windows\System32\lsrv.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05272008_215515

malwarebytes log

Malwarebytes' Anti-Malware 1.12
Database version: 791

Scan type: Quick Scan
Objects scanned: 67798
Time elapsed: 19 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.


and the hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:04 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123515216000
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/...ewer/isetup.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

--
End of file - 8811 bytes

#9 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 27 May 2008 - 03:50 PM

chumpynuts,

Where did you get that name ? I have been at this in the forums for about 5 years and the log on names sometimes crack me up.

Your log looks clean :thumbup:

Run this cleaner to get rid of any temp files , sometimes places where this garbage leaves files.


Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up



  • Your Java is out of date and leaving your system vulnerable.
  • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
  • It should have an icon next to it:
    Posted Image
    Select it and click Remove.
  • Reboot your system.
  • Then go to the Sun Microsystems and install the update
  • Java Runtime Environment (JRE) 6 Update 6 <--This is what you need to download and install.
  • If you chose the online installation, it will prompt you to run the program.
  • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
  • Then after install you can verify your installation here Sun Java Verify
I like to to do the offline installation and save the setup file in case I may need it in the future



How is your system behaving now ??

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#10 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 28 May 2008 - 09:01 AM

hi ken thanks for all your help-so far.the name chumpynuts came about from a uk comedy sketch show. the sketch was based in the midlands of the u k. the chumpy part is a term of endearment to somebody you dont know.similar to your howdy doody.as for the nuts seemed like a good idea at the time.now back to the drawing board.system seems o.k. but as you say in your post it may load a little slower to start with.i have done a virus scan which is up to date. i enclose the log for your advice.apart from that i got back a lot of hard drive nearly 20gb. eTrust EZ Antivirus Version 6.2.0.21 Started scanning: 9:35:50 AM, 5/28/2008 Dat file v10124 Scanning boot sectors... Drive A: is not ready. C:\ Master Boot Record matches template, is unknown but seems OK. C:\ Partition Boot Record matches template, is OK: standard Win2000 (2). D:\ Master Boot Record matches template, is unknown but seems OK. D:\ Partition Boot Record matches template, is unknown but seems OK. Drive E: is not ready. Drive F: is not ready. Scanning file(s)... C:\805523f8bc117d1929\$shtdwn$.req - error in scanning - scan abandoned. C:\805523f8bc117d1929\xpsp1hfm.exe - error in scanning - scan abandoned. C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05182008-091114.log - unable to open file - not scanned. C:\Documents and Settings\Default User\My Documents\prog files\wrar330.exe - scan incomplete. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat - unable to open file - not scanned. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat - unable to open file - not scanned. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat - unable to open file - not scanned. C:\Documents and Settings\LocalService\NTUSER.DAT - unable to open file - not scanned. C:\Documents and Settings\LocalService\NTUSER.DAT.LOG - unable to open file - not scanned. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned. C:\Documents and Settings\NetworkService\NTUSER.DAT - unable to open file - not scanned. C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG - unable to open file - not scanned. C:\Documents and Settings\Owner\Application Data\Motive\Acme\plugin\log\pchbtn.log - unable to open file - not scanned. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>MagicApplet.class - Java.ByteVerify!exploit trojan. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>OwnClassLoader.class - Java.ByteVerify!exploit trojan. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>ProxyClassLoader.class - Java.ByteVerify!exploit trojan. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>Installer.class - Java.Shinwow.BG trojan. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7 contains infected files. C:\Documents and Settings\Owner\Cookies\index.dat - unable to open file - not scanned. C:\Documents and Settings\Owner\Desktop\SDFix.exe - scan incomplete. C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned. C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned. C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A3F722B6-4284-4C5D-9352-03C8414DFF1F} - unable to open file - not scanned. C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat - unable to open file - not scanned. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat - unable to open file - not scanned. C:\Documents and Settings\Owner\My Documents\films\Ultimate Ringtones.rar - scan incomplete. C:\Documents and Settings\Owner\My Documents\prog files\wrar330.exe - scan incomplete. C:\Documents and Settings\Owner\NTUSER.DAT - unable to open file - not scanned. C:\Documents and Settings\Owner\NTUSER.DAT.LOG - unable to open file - not scanned. C:\hiberfil.sys - unable to open file - not scanned. C:\pagefile.sys - unable to open file - not scanned. C:\Program Files\blueyonder IST\log\mpbtn.log - unable to open file - not scanned. C:\Program Files\blueyonder IST\SmartBridge\AlertFilter.log - unable to open file - not scanned. C:\Program Files\blueyonder IST\SmartBridge\log\httpclient.log - unable to open file - not scanned. C:\Program Files\blueyonder IST\SmartBridge\SmartBridge.log - unable to open file - not scanned. C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VIRUSLOG.TXT - unable to open file - not scanned. C:\Program Files\Common Files\Roxio Shared\Support\about.rtf>PBrush - unable to open file - not scanned. C:\Program Files\Common Files\Roxio Shared\Support\about.rtf>PBrush - unable to open file - not scanned. C:\Program Files\Common Files\Roxio Shared\Support\about.rtf - scan incomplete. C:\Program Files\RecordNow!\Tutorial\ENU\TutorialENU.exe - scan incomplete. C:\Program Files\RecordNow!\Tutorial\Movies\movies.exe - scan incomplete. C:\Program Files\WinRAR\WinRAR.rar - scan incomplete. C:\RECYCLER\S-1-5-21-3791964687-3023771741-33532248-1003\Dc154.m2v - unsupported file format - scan aborted. C:\RECYCLER\S-1-5-21-3791964687-3023771741-33532248-1003\Dc163.rar - scan incomplete. C:\RECYCLER\S-1-5-21-3791964687-3023771741-33532248-1003\Dc165.RAR - scan incomplete. C:\RECYCLER\S-1-5-21-3791964687-3023771741-33532248-1003\Dc166.rar - scan incomplete. C:\RECYCLER\S-1-5-21-3791964687-3023771741-33532248-1003\Dc168.zip>DVDXCOPY PLATINUM 4.0.3.8 CRACK.RAR - scan incomplete. C:\RECYCLER\S-1-5-21-3791964687-3023771741-33532248-1003\Dc168.zip - scan incomplete. C:\WINDOWS\Debug\PASSWD.LOG - unable to open file - not scanned. C:\WINDOWS\I386\WBCACHE.DE_ - scan incomplete. C:\WINDOWS\I386\WBCACHE.EN_ - scan incomplete. C:\WINDOWS\I386\WBCACHE.ES_ - scan incomplete. C:\WINDOWS\I386\WBCACHE.FR_ - scan incomplete. C:\WINDOWS\I386\WBCACHE.IT_ - scan incomplete. C:\WINDOWS\I386\WBCACHE.NL_ - scan incomplete. C:\WINDOWS\I386\WBCACHE.SV_ - scan incomplete. C:\WINDOWS\SchedLgU.Txt - unable to open file - not scanned. C:\WINDOWS\SoftwareDistribution\ReportingEvents.log - unable to open file - not scanned. C:\WINDOWS\Sti_Trace.log - unable to open file - not scanned. C:\WINDOWS\system32\CatRoot2\edb.log - unable to open file - not scanned. C:\WINDOWS\system32\CatRoot2\tmp.edb - unable to open file - not scanned. C:\WINDOWS\system32\config\AppEvent.Evt - unable to open file - not scanned. C:\WINDOWS\system32\config\default - unable to open file - not scanned. C:\WINDOWS\system32\config\default.LOG - unable to open file - not scanned. C:\WINDOWS\system32\config\Internet.evt - unable to open file - not scanned. C:\WINDOWS\system32\config\SAM - unable to open file - not scanned. C:\WINDOWS\system32\config\SAM.LOG - unable to open file - not scanned. C:\WINDOWS\system32\config\SecEvent.Evt - unable to open file - not scanned. C:\WINDOWS\system32\config\SECURITY - unable to open file - not scanned. C:\WINDOWS\system32\config\SECURITY.LOG - unable to open file - not scanned. C:\WINDOWS\system32\config\software - unable to open file - not scanned. C:\WINDOWS\system32\config\software.LOG - unable to open file - not scanned. C:\WINDOWS\system32\config\SysEvent.Evt - unable to open file - not scanned. C:\WINDOWS\system32\config\system - unable to open file - not scanned. C:\WINDOWS\system32\config\system.LOG - unable to open file - not scanned. C:\WINDOWS\system32\config\systemprofile\My Documents\prog files\wrar330.exe - scan incomplete. C:\WINDOWS\system32\h323log.txt - unable to open file - not scanned. C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR - unable to open file - not scanned. C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP - unable to open file - not scanned. C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER - unable to open file - not scanned. C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP - unable to open file - not scanned. C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP - unable to open file - not scanned. C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA - unable to open file - not scanned. C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP - unable to open file - not scanned. C:\WINDOWS\Twunk002.MTX - unable to open file - not scanned. C:\WINDOWS\wiadebug.log - unable to open file - not scanned. C:\WINDOWS\wiaservc.log - unable to open file - not scanned. C:\WINDOWS\WindowsUpdate.log - unable to open file - not scanned. D:\cmdcons\Protect.ed>PBrush - unable to open file - not scanned. D:\cmdcons\Protect.ed - scan incomplete. D:\MiniNT\Protect.ed>PBrush - unable to open file - not scanned. D:\MiniNT\Protect.ed - scan incomplete. D:\PRELOAD\Protect.ed>PBrush - unable to open file - not scanned. D:\PRELOAD\Protect.ed - scan incomplete. D:\protect.ed>PBrush - unable to open file - not scanned. D:\protect.ed - scan incomplete. D:\I386\WBCACHE.DE_ - scan incomplete. D:\I386\WBCACHE.EN_ - scan incomplete. D:\I386\WBCACHE.ES_ - scan incomplete. D:\I386\WBCACHE.FR_ - scan incomplete. D:\I386\WBCACHE.IT_ - scan incomplete. D:\I386\WBCACHE.NL_ - scan incomplete. D:\I386\WBCACHE.SV_ - scan incomplete. D:\I386\Protect.ed>PBrush - unable to open file - not scanned. D:\I386\Protect.ed - scan incomplete. D:\TOOLS\Protect.ed>PBrush - unable to open file - not scanned. D:\TOOLS\Protect.ed - scan incomplete. D:\hp\Protect.ed>PBrush - unable to open file - not scanned. D:\hp\Protect.ed - scan incomplete. D:\RECOVERY\Protect.ed>PBrush - unable to open file - not scanned. D:\RECOVERY\Protect.ed - scan incomplete. Finished scanning: 11:33:38 AM, 5/28/2008 Number of files scanned: 233676. Number of files that could not be scanned: 73 Number of archives containing infected files: 1 Number of infections: 4 Number of infected files not cleaned/deleted/renamed: 4 C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>MagicApplet.class (Java.ByteVerify!exploit trojan) C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>OwnClassLoader.class (Java.ByteVerify!exploit trojan) C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>ProxyClassLoader.class (Java.ByteVerify!exploit trojan) C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-4e6df6b7>Installer.class (Java.Shinwow.BG trojan) once again thanks for all your help.

    Advertisements

Register to Remove


#11 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 28 May 2008 - 10:37 AM

Hello,

Lets delete these files, Run them through OTMoveIt and post that report.

C:\WINDOWS\system32\ewjcboeg.dll
C:\WINDOWS\system32\toyyoaup.dll


Most of what your Virus scanner found are located in the Java Catch, lets flush it all out.

Go to Start > Control Panel ( up at the top left , make sure your in Classic View ) and open Java.
Then look for a tab that says cache and choose clear cache.
( Newer version might have delete Temporary Internet files, delete them)
Do that for every Java icon, if there is more than one.


You also have some bad entries in your System Restore Program, lets flush that out to and make sure you follow the instructions to create a new restore point.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

  • Right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.


Reboot your computer


Turn ON System Restore.

  • Right-click My Computer.
  • ClickProperties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.


Create a new Restore Point <-- Very Important

  • Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
    You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial <-- If you need it

Run Panda's ActiveScan and perform a full system scan. This will only run with Internet Explorer
  • Once you are on the Panda site click the "Scan your PC" button
  • A new window will open...click the big "Check Now" button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
  • If you are on a slow connection it will take about 15 minuites for the scanner to load.
  • Click on "Local Disks" to start the scan
  • Once scan is done, click "see report" then "save report"
  • Save the log someplace you can find
  • Reboot
  • Post the Panda scan results in your next reply

Post the OTMoveIt log, the Panda report and one last HJT log please

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#12 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 28 May 2008 - 11:56 AM

here is the otmoveit log File/Folder C:\WINDOWS\system32\ewjcboeg.dll not found. File/Folder C:\WINDOWS\system32\toyyoaup.dll not found. OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05282008_185540

#13 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 29 May 2008 - 09:21 AM

hi ken
i did the otmove it log first as directed and sent that to you,as you can see it could not find the files you said to delete.i now enclose the panda report and hjt log
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-29 16:01:16
PROTECTIONS: 1
MALWARE: 24
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Windows Defender 1.1.3520.0 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00000431 adware/ist.istbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42b8-B3F7-832E75EDD959}
00000431 adware/ist.istbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}
00013869 adware/cydoor Adware No 0 Yes No c:\windows\system32\adcache
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\adult
00101555 Application/KillApp.B HackTools No 0 Yes No C:\hp\bin\KillIt.exe
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\owner@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\owner@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@anm.co[2].txt
00158271 dialer.asl Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
00161217 adware/abox Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000020040000}
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[2].txt
00167776 Cookie/Kount TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\owner@kount[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@adviva[2].txt
00293491 Dialer.HLO Dialers No 1 Yes No C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
00293493 Dialer.HLO Dialers No 1 Yes No C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2877CEE0-8C4F-4243-A8B9-29F450.asq
02906154 Adware/AdsRevenue Adware No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WLBMDFO1\popup[1].htm
02906154 Adware/AdsRevenue Adware No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NCU6JTJ7\popup[2].htm
02906154 Adware/AdsRevenue Adware No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LY8Y41KH\popup[1].htm
02906154 Adware/AdsRevenue Adware No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\POZTDFRC\popup[1].htm
02906154 Adware/AdsRevenue Adware No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OD10VQ19\popup[1].htm
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\twtpktrd.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\qnglddmc.exe
02981904 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\uqyamhab.dll
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\hxvydoxk.exe
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\epwcqvqf.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location (
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description (
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:04 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123515216000
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/...ewer/isetup.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

--
End of file - 8862 bytes

#14 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 29 May 2008 - 11:34 AM

Your log looks fine :thumbup:

But look for these and delete them if present, keep them in the Recycle Bin for a day or two to make sure you have no issues

You need to enable windows to show all files and folders, instructions Here

C:\WINDOWS\system32\twtpktrd.exe
C:\WINDOWS\system32\qnglddmc.exe
C:\WINDOWS\system32\uqyamhab.dll
C:\WINDOWS\system32\hxvydoxk.exe
C:\WINDOWS\system32\epwcqvqf.exe



Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All <--Uncheck the Recycle Bin so we don't delete those files
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

How are things running now???

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#15 chumpynuts

chumpynuts

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 29 May 2008 - 12:38 PM

hola ken i have isolated the files as you suggested .done atf clean and a reboot as of this moment everything seems fine.no pop ups for the last few days and all the cleaning has freed up a lot of disk space.system loading a o k and no noticeable slowdown when its ramping up.if there is anything untoward happening do i need to put a new log up or do i use this one to reply.btw the plasic is out for a donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users