HiJackThis Log- Computer very mesed up

M

mpic92

New Member
It's gotten very sluggish/slow as of late and I've noticed some questionable processes running. ALso weirdly, Firefox has become the only web browser that lets me get online... other browsers and programs checking for updates seem to fail. Any help would be greatly appreciated:



Logfile of HijackThis v1.99.1
Scan saved at 4:02:35 PM, on 5/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Ag2.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Agq.exe
C:\WINDOWS\Axopia.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Documents and Settings\HP_Owner\System32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\Spyware Programs\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [MicrosoftNAPC] C:\Documents and Settings\HP_Owner\System32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartServiceCHETDRDA] "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\CHETDRDA\StartService.exe"
O4 - HKLM\..\Run: [tpdlqhpe] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\obyafwsqv\edpyrovtssd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [StartServiceCHETDRDA] "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\CHETDRDA\StartService.exe"
O4 - HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Agq.exe
O4 - HKCU\..\Run: [QZAIB7KITK] C:\WINDOWS\Axopia.exe
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Ag2.exe
O4 - HKCU\..\Run: [tpdlqhpe] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\obyafwsqv\edpyrovtssd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13733908-6312-4FA6-9B97-B8DD9FCBA5D5}: NameServer = 93.188.165.34,93.188.161.169
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.34,93.188.161.169
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.34,93.188.161.169
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.34,93.188.161.169
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Click to expand...
 
First thing, you have an older version of hijackthis installed please uninstal the version you have first and then follow this procedure as you are infected pretty bad.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please post a HijackThis log by doing the following:

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

In your next reply please post:
  • The Malwarebytes log
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Last edited:
log

Here are the fresh logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4105

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/15/2010 10:54:23 PM
mbam-log-2010-05-15 (22-54-23).txt

Scan type: Quick scan
Objects scanned: 129141
Time elapsed: 14 minute(s), 39 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
C:\WINDOWS\Axopia.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\HP_Owner\System32.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzaib7kitk (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tpdlqhpe (Rogue.AntiSpywareSoft) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoftnapc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoftcorp (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.34,93.188.161.169 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{13733908-6312-4fa6-9b97-b8dd9fcba5d5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.34,93.188.161.169 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Axopia.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\obyafwsqv\edpyrovtssd.exe (Rogue.AntiSpywareSoft) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-5692338112-4581931703-511075386-8678\winlogon.exe (Trojan.Inject) -> Delete on reboot.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00001e53.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000045a5.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00004a99.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000068bf.tmp (Rogue.VirusProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00007b61.tmp (Rogue.VirusProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\b 1d1.dll (Rogue.VirusProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\b 40c9.dll (Rogue.VirusProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\b000011d8.dll (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\b0000742b.dll (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Ag2.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\System32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\System32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Click to expand...

ComboFix 10-05-15.01 - HP_Owner 05/15/2010 23:21:11.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.107 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\HP_Owner\Application Data\chrtmp
c:\documents and settings\HP_Owner\Local Settings\Application Data\{DE158CFF-8133-417A-BA21-16F4F8139F7A}
c:\documents and settings\HP_Owner\Local Settings\Application Data\{DE158CFF-8133-417A-BA21-16F4F8139F7A}\chrome.manifest
c:\documents and settings\HP_Owner\Local Settings\Application Data\{DE158CFF-8133-417A-BA21-16F4F8139F7A}\chrome\content\_cfg.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{DE158CFF-8133-417A-BA21-16F4F8139F7A}\chrome\content\c.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{DE158CFF-8133-417A-BA21-16F4F8139F7A}\chrome\content\overlay.xul
c:\documents and settings\HP_Owner\Local Settings\Application Data\{DE158CFF-8133-417A-BA21-16F4F8139F7A}\install.rdf
c:\program files\Common Files\System\Uninstall
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://92.241.169.29
.
((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 02:08 . 2010-05-16 02:08 -------- d-----w- c:\program files\Trend Micro
2010-05-16 02:07 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 02:07 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 02:07 . 2010-05-16 02:54 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\obyafwsqv
2010-05-01 13:38 . 2010-05-01 13:38 -------- d-----w- C:\spoolerlogs
2010-04-25 19:46 . 2010-04-25 19:46 93184 --sha-r- c:\windows\system32\perfos7.dll
2010-04-22 15:19 . 2010-04-22 15:20 -------- d-----w- c:\program files\SpywareBlaster
2010-04-22 15:02 . 2010-04-22 15:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-19 03:00 . 2010-04-19 03:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-17 12:50 . 2010-05-05 13:08 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\CHETDRDA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 02:07 . 2009-03-21 19:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-15 20:09 . 2005-03-19 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-15 20:05 . 2010-03-20 23:43 -------- d-----w- c:\program files\CCleaner
2010-04-24 21:08 . 2005-06-13 00:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2010-04-22 15:20 . 2008-03-22 19:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-22 15:03 . 2004-12-02 05:15 -------- d-----w- c:\program files\Common Files\Java
2010-04-10 18:44 . 2010-04-10 18:43 -------- d-----w- c:\program files\iTunes
2010-04-10 18:44 . 2010-04-10 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 18:44 . 2010-04-10 18:44 -------- d-----w- c:\program files\iPod
2010-04-10 18:44 . 2007-09-06 20:19 -------- d-----w- c:\program files\Common Files\Apple
2010-04-10 18:39 . 2010-04-10 18:39 -------- d-----w- c:\program files\QuickTime
2010-04-10 18:36 . 2010-04-10 18:36 -------- d-----w- c:\program files\Bonjour
2010-04-10 18:34 . 2010-04-10 18:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-10 06:15 . 2004-08-04 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-03 13:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2004-08-04 11:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 18:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-03-19 21:16 . 2005-03-19 21:16 0 -c--a-w- c:\program files\sbversion.txt
2008-12-29 20:00 . 2008-12-29 20:00 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-29 20:00 . 2008-12-29 20:00 125840 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-29 20:00 . 2008-12-29 20:00 98704 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-12-29 20:00 . 2008-12-29 20:00 107848 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-21 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"SiSPower"="SiSPower.dll" [2008-06-27 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CompuServe 7.0 Tray Icon.lnk
backup=c:\windows\pss\CompuServe 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^OpenOffice.org 1.1.3.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\OpenOffice.org 1.1.3.lnk
backup=c:\windows\pss\OpenOffice.org 1.1.3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-12-02 05:39 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 esqhpw;esqhpw;c:\windows\system32\drivers\edaeqgck.sys --> c:\windows\system32\drivers\edaeqgck.sys [?]
S3 atidgllk;atidgllk;\??\c:\documents and settings\HP_Owner\Desktop\winflash2015\atidgllk.sys --> c:\documents and settings\HP_Owner\Desktop\winflash2015\atidgllk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1273098744-1394660588-480482985-1009Core.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 00:17]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1273098744-1394660588-480482985-1009UA.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 00:17]

2010-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\nlx95wo0.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - plugin: c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ImInstaller_IncrediMail - c:\docume~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 23:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8337A8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75c9f28
\Driver\ACPI -> ACPI.sys @ 0xf745ccb8
\Driver\atapi -> atapi.sys @ 0xf7417b3a
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-05-15 23:38:11
ComboFix-quarantined-files.txt 2010-05-16 03:38

Pre-Run: 137,440,124,928 bytes free
Post-Run: 137,731,903,488 bytes free

- - End Of File - - 7C397219D5871C6F10E899641A0EB016
Click to expand...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:52 PM, on 5/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4741 bytes
Click to expand...
 
Been a long night, I don't have much time to test out the computer after doing all those scans. Seems to be running better right now, although my google search result links are still redirecting me to other weird/random sites. How do the logs look?

Thanks for the assistance, been a huge help.
 
How is the system running now? I also highly recommend downloading and running Ccleaner to clean out the old temp files and such. Get Ccleaner from here.

http://www.filehippo.com/download_ccleaner/

click the top right where it says download latest version. After the program is installed please put checkmarks next to the options set in the attached image and then click on run cleaner.
 

Attachments

  • ccleaner.JPG
    ccleaner.JPG
    76.3 KB · Views: 240
johnb35 said:
How is the system running now? I also highly recommend downloading and running Ccleaner to clean out the old temp files and such. Get Ccleaner from here.

http://www.filehippo.com/download_ccleaner/

click the top right where it says download latest version. After the program is installed please put checkmarks next to the options set in the attached image and then click on run cleaner.
Click to expand...

It seems to be running very well, thank you so much for the help. I've always been a big fan of Ccleaner, and run it frequently.
 
You must log in or register to reply here.
Back
Top