Help - Search - Members - Calendar
Full Version: Another Comp 2
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Cirrus5
Jan 28 2008, 11:54 PM
Hello I'm the person that James123 posted about the infected computer.

Here's the original thread: http://gladiator-antivirus.com/forum/index...showtopic=67788

Here's the log you requested earlier:

Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AIM 6
AOL You've Got Pictures Screensaver
Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
CC_ccProxyExt
ccCommon
ccPxyCore
Crystal Maze from Hewlett-Packard Desktops (remove only)
DivX Content Uploader
DivX Web Player
Easy Internet Sign-up
Google Toolbar for Internet Explorer
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZplus450
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
KBD
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Media Entertainment Codec v1.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Mozilla Firefox (2.0.0.4)
MSRedist
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 3.5 magicMoments - HPD
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Norton WMI Update
Orbital from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polar Golfer from Hewlett-Packard Desktops (remove only)
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Road Ready Streetwise from Hewlett-Packard Desktops (remove only)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only)
Sonic Express Labeler
Sonic RecordNow!
SPBBC
Spy Sweeper
Super Granny from Hewlett-Packard Desktops (remove only)
SymNet
Tradewinds from Hewlett-Packard Desktops (remove only)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Updates from HP
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver


I will post a fresh log as soon as possible.
Cirrus5
Jan 29 2008, 12:06 AM
Here's another log:


StartupList report, 1/28/2008, 7:03:04 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup]
HP Organize.lnk = ?

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
High Definition Audio Property Page Shortcut = HDAudPropShortcut.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
AGRSMMSG = AGRSMMSG.exe
HPHUPD06 = "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
HPHmon06 = C:\WINDOWS\system32\hphmon06.exe
KBD = C:\HP\KBD\KBD.EXE
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
ccApp = "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
URLLSTCK.exe = "c:\Program Files\Norton Internet Security\UrlLstCk.exe"
PS2 = C:\WINDOWS\system32\ps2.exe
SoundMan = SOUNDMAN.EXE
AlcWzrd = ALCWZRD.EXE
LSBWatcher = c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
Reminder = "C:\Windows\Creator\Remind_XP.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSConfig = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\dpvtporkgr.dll - {54505F14-AFC2-424A-B260-962F1AFDFD78}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
NAV Helper - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Easy Internet Sign-up.job
Symantec NetDetect.job
wrSpySweeperTrialSweep.job

--------------------------------------------------

Enumerating Download Program Files:

[DivXBrowserPlugin Object]
InProcServer32 = C:\Program Files\DivX\DivX Web Player\npdivx32.dll
CODEBASE = http://go.divx.com/plugin/DivXBrowserPlugin.cab

[{D27CDB6E-AE6D-11CF-96B8-444553540000}]
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\~nsu.tmp\Au_.exe|||L

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
bqxomdo: C:\WINDOWS\bqxomdo.dll
aswmklt: C:\WINDOWS\aswmklt.dll

--------------------------------------------------
End of report, 7,575 bytes
Report generated in 0.282 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


I will post the combofix log later.
Cirrus5
Jan 29 2008, 01:12 AM
And finally the Combofix log:

ComboFix 08-01-23.1C - HP_Owner 2008-01-28 20:04:04.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\My Documents\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 01:04 . 2008-01-28 01:04 <DIR> d-------- C:\Program Files\Webroot
2008-01-28 01:04 . 2007-07-19 22:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2008-01-28 01:04 . 2007-07-19 22:42 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-28 01:04 . 2007-07-19 22:42 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-28 01:04 . 2007-07-19 22:42 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-28 01:04 . 2007-07-19 22:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-01-28 01:03 . 2008-01-28 01:03 164 --a------ C:\install.dat
2008-01-27 23:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 23:04 . 2008-01-27 23:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-27 23:02 . 2008-01-27 23:02 5,120 --a------ C:\WINDOWS\ictions.dll
2008-01-27 23:02 . 2008-01-27 23:02 5,120 --a------ C:\info.exe
2008-01-25 17:20 . 2008-01-25 15:31 344,064 --a------ C:\WINDOWS\dpvtporkgr.dll
2008-01-25 17:20 . 2008-01-25 15:31 290,816 --a------ C:\WINDOWS\bqxomdo.dll
2008-01-25 17:20 . 2008-01-25 15:31 217,088 --a------ C:\WINDOWS\aswmklt.dll
2008-01-25 17:20 . 2008-01-25 15:31 172,032 --a------ C:\WINDOWS\elfwgps.dll
2008-01-25 17:20 . 2008-01-25 15:31 81,920 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-25 17:19 . 2008-01-25 17:19 <DIR> d-------- C:\Program Files\MediaEntertainmentCodec
2008-01-06 02:01 . 2008-01-28 18:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-06 02:01 . 2008-01-06 02:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 16:14 . 2008-01-02 16:16 <DIR> d-------- C:\Program Files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 01:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 14:29 3,645 ----a-w C:\WINDOWS\viassary-hp.reg
2008-01-28 06:06 --------- d-----w C:\Program Files\Pure Networks
2008-01-28 05:54 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-26 07:20 --------- d-----w C:\Program Files\Yahoo!
2008-01-23 19:11 --------- d-----w C:\Program Files\DivX
2008-01-12 18:11 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-02 21:15 --------- d-----w C:\Program Files\Viewpoint
2008-01-02 13:02 --------- d-----w C:\Program Files\Google
2007-12-13 17:16 1,845 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH516_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.20_T050331_WXH2_L409_M504_J200_7Intel_8Pentium 4_93.06_#050718_N10EC8139_Z11C1048C_G80862582.MRK
2007-12-13 17:13 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-12-13 13:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-09-11 03:02 39,448 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_09_13_34_05_small.dmp.zip
2007-07-16 00:30 272,384 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-07-16 00:30 1,224,704 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2006-12-20 03:14 2,570,752 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-12-20 03:14 1,193,472 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2006-12-20 03:13 1,195,008 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-09-29 13:12 2,205,709 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2006-06-27 20:50 2,062,336 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2006-06-09 20:42 27,648 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-06-09 20:42 1,103,360 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54505F14-AFC2-424A-B260-962F1AFDFD78}]
2008-01-25 15:31 344064 --a------ C:\WINDOWS\dpvtporkgr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{3BF455E1-0856-4575-AEFB-FE98B34E6E2D}

[HKEY_CLASSES_ROOT\clsid\{3bf455e1-0856-4575-aefb-fe98b34e6e2d}]
[HKEY_CLASSES_ROOT\elfwgps.1]
[HKEY_CLASSES_ROOT\TypeLib\{53BA2E8A-653D-46CB-8BF1-B924D9CB64F7}]
[HKEY_CLASSES_ROOT\elfwgps]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 14:04 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 02:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 17:59 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 19:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-17 02:25 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-14 02:04 278528]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 01:22 58488]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 04:29 33936]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 23:17 90112]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 23:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-14 01:17 2742272 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 04:23 663552]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-17 02:33 98304]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 13:00 158208]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54 5361464]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2005-02-17 02:36:24 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 05:28:24 258048]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-02-17 02:37:08 45056]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"= {24FEF5F9-20CC-4CA7-BA74-6F9923ED7BE1} - C:\WINDOWS\bqxomdo.dll [2008-01-25 15:31 290816]
"aswmklt"= {630D2FA0-9466-4C6D-BA63-3CF6BBF89566} - C:\WINDOWS\aswmklt.dll [2008-01-25 15:31 217088]

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 22:42]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 18:11:08 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-01-28 14:33:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-01-28 07:00:11 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 20:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\bqxomdo.dll
.
Completion time: 2008-01-28 20:08:49
ComboFix-quarantined-files.txt 2008-01-29 01:08:44
ComboFix2.txt 2008-01-28 14:33:27
.
2008-01-02 07:09:59 --- E O F ---





Any help will be much appreciated.
Bobbi Flekman
Jan 29 2008, 01:16 PM
Hey cirrus5,

Open "Add/Remove Programs" in the Control Panel. Select the following items:
  • Media Entertainment Codec v1.6
and click "Remove" for each of them. If one of the uninstallers wants to download stuff or needs an Internet connection, skip that one and report them to me.

After this post a new log from HijackThis and rerun ComboFix. Post that log as well.
Cirrus5
Jan 30 2008, 04:03 AM
QUOTE (Bobbi Flekman @ Jan 29 2008, 01:16 PM) *
Hey cirrus5,

Open "Add/Remove Programs" in the Control Panel. Select the following items:
  • Media Entertainment Codec v1.6
and click "Remove" for each of them. If one of the uninstallers wants to download stuff or needs an Internet connection, skip that one and report them to me.

After this post a new log from HijackThis and rerun ComboFix. Post that log as well.


Here is the updated log of Hijackthis, I will post Combofix soon enough.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:49 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SXG Advisor - {54505F14-AFC2-424A-B260-962F1AFDFD78} - C:\WINDOWS\dpvtporkgr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: elfwgps - {3BF455E1-0856-4575-AEFB-FE98B34E6E2D} - C:\WINDOWS\elfwgps.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] "c:\Program Files\Norton Internet Security\UrlLstCk.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O21 - SSODL: bqxomdo - {24FEF5F9-20CC-4CA7-BA74-6F9923ED7BE1} - C:\WINDOWS\bqxomdo.dll
O21 - SSODL: aswmklt - {630D2FA0-9466-4C6D-BA63-3CF6BBF89566} - C:\WINDOWS\aswmklt.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9161 bytes
Bobbi Flekman
Jan 30 2008, 11:50 AM
Hi Cirrus5,

Please download SmitfraudFix

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
Cirrus5
Jan 30 2008, 05:59 PM
OK thank, I just downloaded it and will attempt later on.


Just in case you still want it here's the Combofix log:

ComboFix 08-01-23.1C - HP_Owner 2008-01-30 9:23:48.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.205 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\My Documents\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\HP_Owner\Desktop\Error Cleaner.url
C:\Documents and Settings\HP_Owner\Desktop\Privacy Protector.url
C:\Documents and Settings\HP_Owner\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\HP_Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\HP_Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\HP_Owner\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-28 21:14 . 2008-01-28 21:14 <DIR> d-------- C:\Program Files\Sun
2008-01-28 21:14 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-28 01:04 . 2008-01-28 01:04 <DIR> d-------- C:\Program Files\Webroot
2008-01-28 01:04 . 2007-07-19 22:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2008-01-28 01:04 . 2007-07-19 22:42 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-28 01:04 . 2007-07-19 22:42 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-28 01:04 . 2007-07-19 22:42 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-28 01:04 . 2007-07-19 22:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-01-28 01:03 . 2008-01-28 01:03 164 --a------ C:\install.dat
2008-01-27 23:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 23:04 . 2008-01-27 23:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-27 23:02 . 2008-01-27 23:02 5,120 --a------ C:\WINDOWS\ictions.dll
2008-01-27 23:02 . 2008-01-27 23:02 5,120 --a------ C:\info.exe
2008-01-25 17:20 . 2008-01-25 15:31 344,064 --a------ C:\WINDOWS\dpvtporkgr.dll
2008-01-25 17:20 . 2008-01-25 15:31 290,816 --a------ C:\WINDOWS\bqxomdo.dll
2008-01-25 17:20 . 2008-01-25 15:31 217,088 --a------ C:\WINDOWS\aswmklt.dll
2008-01-25 17:20 . 2008-01-25 15:31 172,032 --a------ C:\WINDOWS\elfwgps.dll
2008-01-25 17:20 . 2008-01-25 15:31 81,920 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-06 02:01 . 2008-01-28 21:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-06 02:01 . 2008-01-06 02:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 16:14 . 2008-01-02 16:16 <DIR> d-------- C:\Program Files\AIM6
2007-12-13 23:04 . 2004-08-04 13:00 1,483,264 --a------ C:\WINDOWS\system32\shdocvw.bak
2007-12-13 23:04 . 1998-06-26 00:00 644,400 --a------ C:\WINDOWS\system32\MSComCt2.ocx
2007-12-13 23:04 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-12-13 23:04 . 2000-05-22 00:00 203,976 --a------ C:\WINDOWS\system32\RichTx32.ocx
2007-12-13 23:04 . 2004-08-24 15:09 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2007-12-13 23:04 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSInet.ocx
2007-12-13 23:04 . 2001-11-21 10:15 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2007-12-13 23:04 . 1999-04-17 01:06 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2007-12-13 23:03 . 2004-08-24 15:09 1,044,480 --a------ C:\WINDOWS\system32\roboex32.dll
2007-12-13 23:03 . 2004-08-24 15:09 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2007-12-13 23:03 . 2004-08-24 15:09 29,184 --a------ C:\WINDOWS\system32\popup.ocx
2007-12-13 22:49 . 2007-02-28 04:10 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-12-13 22:49 . 2007-02-28 04:08 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-12-13 22:49 . 2007-02-28 03:38 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-12-13 22:49 . 2007-02-28 03:38 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-13 22:41 . 2007-12-13 22:41 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2007-12-13 22:41 . 2007-12-13 22:41 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2007-12-13 13:20 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-13 12:19 . 2006-03-16 19:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2007-12-13 12:17 . 2007-12-13 12:17 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-12-13 12:17 . 2004-11-02 17:58 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-13 12:17 . 2004-11-02 18:01 94,208 --a------ C:\WINDOWS\system32\igfxcpl.cpl
2007-12-13 12:16 . 2004-08-04 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-13 12:16 . 2007-12-13 12:16 1,845 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH516_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.20_T050331_WXH2_L409_M504_J200_7Intel_8Pentium 4_93.06_#050718_N10EC8139_Z11C1048C_G80862582.MRK
2007-12-13 12:13 . 2007-12-13 12:13 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2007-12-13 11:55 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-13 11:55 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-13 11:55 . 2004-08-04 01:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-13 11:55 . 2001-08-17 16:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-13 11:55 . 2001-08-17 17:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-13 10:36 . 2007-12-17 23:12 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 02:04 3,645 ----a-w C:\WINDOWS\viassary-hp.reg
2008-01-30 02:03 --------- d-----w C:\Program Files\Google
2008-01-29 02:23 --------- d-----w C:\Program Files\QuickTime
2008-01-29 02:13 --------- d-----w C:\Program Files\Java
2008-01-29 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 06:06 --------- d-----w C:\Program Files\Pure Networks
2008-01-28 05:54 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-26 07:20 --------- d-----w C:\Program Files\Yahoo!
2008-01-23 19:11 --------- d-----w C:\Program Files\DivX
2008-01-12 18:11 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-02 21:15 --------- d-----w C:\Program Files\Viewpoint
2007-12-13 17:16 1,845 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH516_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.20_T050331_WXH2_L409_M504_J200_7Intel_8Pentium 4_93.06_#050718_N10EC8139_Z11C1048C_G80862582.MRK
2007-12-13 17:13 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-12-13 13:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 06:13 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-09-11 03:02 39,448 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_09_13_34_05_small.dmp.zip
2007-07-16 00:30 272,384 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-07-16 00:30 1,224,704 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2006-12-20 03:14 2,570,752 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-12-20 03:14 1,193,472 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2006-12-20 03:13 1,195,008 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-09-29 13:12 2,205,709 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2006-06-27 20:50 2,062,336 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2006-06-09 20:42 27,648 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-06-09 20:42 1,103,360 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54505F14-AFC2-424A-B260-962F1AFDFD78}]
2008-01-25 15:31 344064 --a------ C:\WINDOWS\dpvtporkgr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
{3BF455E1-0856-4575-AEFB-FE98B34E6E2D}

[HKEY_CLASSES_ROOT\clsid\{3bf455e1-0856-4575-aefb-fe98b34e6e2d}]
[HKEY_CLASSES_ROOT\elfwgps.1]
[HKEY_CLASSES_ROOT\TypeLib\{53BA2E8A-653D-46CB-8BF1-B924D9CB64F7}]
[HKEY_CLASSES_ROOT\elfwgps]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 14:04 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 02:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 17:59 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 19:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-17 02:25 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-14 02:04 278528]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 01:22 58488]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 04:29 33936]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 23:17 90112]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 23:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-14 01:17 2742272 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 04:23 663552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54 5361464]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2005-02-17 02:36:24 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 05:28:24 258048]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-02-17 02:37:08 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"= {24FEF5F9-20CC-4CA7-BA74-6F9923ED7BE1} - C:\WINDOWS\bqxomdo.dll [2008-01-25 15:31 290816]
"aswmklt"= {630D2FA0-9466-4C6D-BA63-3CF6BBF89566} - C:\WINDOWS\aswmklt.dll [2008-01-25 15:31 217088]

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 22:42]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 18:11:08 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-01-30 10:59:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-01-28 07:00:11 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 09:28:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 9:29:08
ComboFix-quarantined-files.txt 2008-01-30 14:29:05
ComboFix2.txt 2008-01-30 02:14:56
ComboFix3.txt 2008-01-29 07:02:09
ComboFix4.txt 2008-01-29 01:08:50
ComboFix5.txt 2008-01-28 14:33:27
.
2008-01-02 07:09:59 --- E O F ---


Thanks for your help Mr.Flekman.
Bobbi Flekman
Jan 31 2008, 12:58 PM
Hi Cirrus5,

I think that Smitfraudfix will take care of what I see in this log, so I'll take action when you post the next HijackThis log and the results file from Smitfraudfix
Cirrus5
Feb 1 2008, 08:48 PM
QUOTE (Bobbi Flekman @ Jan 31 2008, 12:58 PM) *
Hi Cirrus5,

I think that Smitfraudfix will take care of what I see in this log, so I'll take action when you post the next HijackThis log and the results file from Smitfraudfix


This is the results from the Smitfaudfix:

SmitFraudFix v2.277

Scan done at 14:40:59.23, Fri 02/01/2008
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\HP_Owner\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\HP_Owner\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\HP_Owner\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\HP_Owner\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\HP_Owner\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\HP_Owner\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AD6D5F66-4FF5-457F-8398-82AD043A6BA3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AD6D5F66-4FF5-457F-8398-82AD043A6BA3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AD6D5F66-4FF5-457F-8398-82AD043A6BA3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Cirrus5
Feb 3 2008, 05:08 AM
*sighs* Somehow I'm still infected.
Bobbi Flekman
Feb 4 2008, 02:04 PM
Where is the HijackThis log? The Anti-Smitfraud did its job, so there has to be something else in the log. Which is why I asked for both ;)
Cirrus5
Feb 4 2008, 02:35 PM
QUOTE (Bobbi Flekman @ Feb 4 2008, 02:04 PM) *
Where is the HijackThis log? The Anti-Smitfraud did its job, so there has to be something else in the log. Which is why I asked for both ;)

I see. I will get right on it. OMG.gif
Cirrus5
Feb 4 2008, 11:16 PM
Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:48 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SXG Advisor - {54505F14-AFC2-424A-B260-962F1AFDFD78} - C:\WINDOWS\dpvtporkgr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: elfwgps - {3BF455E1-0856-4575-AEFB-FE98B34E6E2D} - C:\WINDOWS\elfwgps.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] "c:\Program Files\Norton Internet Security\UrlLstCk.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O21 - SSODL: bqxomdo - {24FEF5F9-20CC-4CA7-BA74-6F9923ED7BE1} - C:\WINDOWS\bqxomdo.dll
O21 - SSODL: aswmklt - {630D2FA0-9466-4C6D-BA63-3CF6BBF89566} - C:\WINDOWS\aswmklt.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7785 bytes
Cirrus5
Feb 5 2008, 01:52 AM
And finally the Fixit file:

SmitFraudFix v2.277

Scan done at 14:40:59.23, Fri 02/01/2008
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\HP_Owner\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\HP_Owner\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\HP_Owner\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\HP_Owner\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\HP_Owner\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\HP_Owner\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AD6D5F66-4FF5-457F-8398-82AD043A6BA3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AD6D5F66-4FF5-457F-8398-82AD043A6BA3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AD6D5F66-4FF5-457F-8398-82AD043A6BA3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Bobbi Flekman
Feb 5 2008, 12:05 PM
Hi Cirrus5,

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

O2 - BHO: SXG Advisor - {54505F14-AFC2-424A-B260-962F1AFDFD78} - C:\WINDOWS\dpvtporkgr.dll

O3 - Toolbar: elfwgps - {3BF455E1-0856-4575-AEFB-FE98B34E6E2D} - C:\WINDOWS\elfwgps.dll

O21 - SSODL: bqxomdo - {24FEF5F9-20CC-4CA7-BA74-6F9923ED7BE1} - C:\WINDOWS\bqxomdo.dll
O21 - SSODL: aswmklt - {630D2FA0-9466-4C6D-BA63-3CF6BBF89566} - C:\WINDOWS\aswmklt.dll

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\dpvtporkgr.dll
C:\WINDOWS\elfwgps.dll
C:\WINDOWS\bqxomdo.dll
C:\WINDOWS\aswmklt.dll

Delete the following folders in red (it could be that they are deleted already):

C:\WINDOWS\privacy_danger

Restart your computer and post a new log in this thread.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.