HJT Log - Please Help. Symptoms are...

Question

carriemendez 0 Newbie Poster

17 Years Ago

sites take 4ever to open and my computer takes just as long.
Many thanks!

Logfile of HijackThis v1.98.2
Scan saved at 8:29:07 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Accent\WNW\Wnw.exe
C:\Program Files\Common Files\Accent Shared\agtserv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Carrie_2\Desktop\Security\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [56wlA5n] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [56wlA5n.exe] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [5YPC#4T4LRJR5E] C:\WINDOWS\System32\Jel377h.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe
O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\Wnw.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145067128984

windows-virus

2 Contributors
6 Replies
220 Views
1 Week Discussion Span
Latest Post 17 Years Ago Latest Post by PhilliePhan

All 6 Replies

PhilliePhan 171 Central Scrutinizer

17 Years Ago

sites take 4ever to open and my computer takes just as long.
Many thanks!
Logfile of HijackThis v1.98.2

Hi Carrie,

It looks like you have a few malware issues.

--- Your HJT is an old version and outdated. Let's kill a few birds with one stone and do this:

Please follow the steps that I have written here and get an up-to-date copy of HJT. Be sure to rename it as instructed.

Please submit the three scanlogs requested in the link to this forum and we'll get you cleaned up!

1 - Kaspersky Log
2 - AVG Anti-Spy log (remember to "quarantine" and "Apply Actions" as indicated in my instructions)
3 - Fresh HJT Log

If you have any questions, feel free to ask.

Best Luck :)
PP

PhilliePhan 171 Central Scrutinizer

17 Years Ago

Hi Carrie,

Looks like we have a bunch yet to do. But, we'll get there! :)

First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_70_302_000_en.exe

Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html

All of the Above are FREE!!

-- You should definitely Update your Java here ---> http://www.java.com/en
-Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! If you do not uninstall ALL older versions, you may remain at risk for a number of baddies such as Vundo.
Do this now.

Also, when we are done, we will need to Flush System Restore – Don’t let me forget!

*** The AVG AntiSpy Log was not saved properly. We’ll run it again after these steps.
*** You have a lot of backdoor Trojans showing. They may have compromised any sensitive information on your computer (banking, passwords, etc...) – You might want to keep an eye on those or change them via a clean computer!

Anyhoo, off we go!
Please do these steps in the order given. Let me know if you have any questions.
You might want to print these steps or save them locally since you will have to reboot and be in Safe Mode.

-- Please Disable SpybotSD’s Tea Timer so it doesn’t interfere with the repair process.

-- Please make sure the Viewing of Hidden Files is Enabled.

-- I suggest you look in Add/Remove Programs and Uninstall Viewpoint / Viewpoint Manager unless you really want to keep it....

--- Download ATF-Cleaner.exe by Atribune to your Desktop. Just leave it for now . . .

--- Download DelDomains and save it to your Desktop. Then, RightClick DelDomains.inf and select Install. That’s all we are going to do with this one.

NEXT:
Please Scan with HijackThis, and check the boxes for the following items if they remain:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe

There is no reason for anything to be in Trusted Zone – DelDomains should have addressed this. If any remain, fix them.
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Fix this, if it remains after the Uninstall of Viewpoint
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Be sure All Browser Windows are Closed and then Click Fix Checked.

NEXT:
Please Boot to Safe Mode.
Use Windows Explorer to navigate to and DELETE these, if they remain.
Remember to ENABLE the Viewing of Hidden Files as I mentioned before.

C:\a.exe
C:\Documents and Settings\Admin\inetd.exe
C:\im.exe
C:\iMeshInst.exe
C:\WINDOWS\system32\aim.exe
C:\WINDOWS\system32\Asp5Wzh.exe
C:\WINDOWS\system32\Heh1MKe7.exe
C:\WINDOWS\system32\Ink640ww.exe
C:\WINDOWS\system32\Jel377h.exe
C:\WINDOWS\system32\KrwH5f.exe
C:\WINDOWS\system32\PlsO0A55.exe
C:\WINDOWS\system32\TktBtA.exe
C:\WINDOWS\system32\Tvi9.exe
C:\WINDOWS\system32\vsixksnw.dll
You’ll need to search for these two:
odfskrnl.exe
lnsvc.exe

NOW:
Run ATF Cleaner
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.

LASTLY: I’d like to see fresh Scanlogs from:
1- Kaspersky
2- AVG Anti-Spyware
3- HijackThis

Let me know if you ran into any problems along the way.

Best Luck :)
PP

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

carriemendez 0 Newbie Poster · Answer 1 · 2007-01-31T05:36:16+00:00

carriemendez 0 Newbie Poster

17 Years Ago

Hi P,
Well, I finally got through most of your instructions, cleaned whatever I could find and the result is uploaded in the attachments.

Thanks so much for you help. Your instructions helped me clean up quite a bit.

If you would take a look, I think we're down to the last few baddies.

tks
Carrie

hijackthis.txt (7.12 KB)

Logfile of HijackThis v1.99.1
Scan saved at 6:19:14 PM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\imapi.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLServiceHost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Accent\WNW\Wnw.exe
C:\Program Files\Common Files\Accent Shared\agtserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Carrie_2\Desktop\Security\Hijackthis\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe
O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\Wnw.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com 
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com 
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145067128984
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with octet-stream files.

KASPERSKY_ONLINE_SCANNER_REPORT.txt (63.14 KB)

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with octet-stream files.

logfile.txt (0.61 KB)

carriemendez 0 Newbie Poster · Answer 2 · 2007-02-05T18:41:00+00:00

carriemendez 0 Newbie Poster

17 Years Ago

Hey P!Managed to get through these instructions without incidence. Thanks for making them so clear. I did remove the trusted sites, but have a problem (ie links don't open) with moving around within a site if the site is not listed in trusted. Drop downs for file selection such as to upload an attachment take eons to open. Not sure if related, but cd writer software doesn't recognize that a cd is inserted. Trying to think what else...Here are the new logs. Again, many thanks. Your help is greatly appreciated.

hijackthis20070205.txt (5.62 KB)

Logfile of HijackThis v1.99.1
Scan saved at 7:13:22 AM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\Wnw.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145067128984
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

KASPERSKY_20070205.txt (29.66 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

-------------------------------------------------------------------------------

 KASPERSKY ONLINE SCANNER REPORT

 Sunday, February 04, 2007 11:19:37 PM

 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

 Kaspersky Online Scanner version: 5.0.83.0

 Kaspersky Anti-Virus database last update:  5/02/2007

 Kaspersky Anti-Virus database records: 250006

-------------------------------------------------------------------------------



Scan Settings:

	Scan using the following antivirus database: standard

	Scan Archives: true

	Scan Mail Bases: true



Scan Target - My Computer:

	A:\

	C:\

	D:\

	E:\

	G:\

	H:\

	I:\

	J:\



Scan Statistics:

	Total number of scanned objects: 115544

	Number of viruses found: 6

	Number of infected objects: 21 / 0

	Number of suspicious objects: 0

	Duration of the scan process: 02:27:33



Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\286e711de25ca1feb40039737e732231_3ec7effb-1247-4eda-b757-0537785c5048	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\30035b56709b63b8b90f02cc0734fa2b_9302fa9b-36a2-4677-b84e-fe4990718304	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\882e88f53fc8f130f99d9dcd07028019_9302fa9b-36a2-4677-b84e-fe4990718304	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp	Object is locked	skipped

C:\Documents and Settings\Carrie\Local Settings\Temp\hsperfdata_Carrie\3936	Object is locked	skipped

C:\Documents and Settings\Carrie_2\Cookies\index.dat	Object is locked	skipped

C:\Documents and Settings\Carrie_2\inetd.exe	Infected: Backdoor.Win32.IRCBot.gen	skipped

C:\Documents and Settings\Carrie_2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped

C:\Documents and Settings\Carrie_2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped

C:\Documents and Settings\Carrie_2\Local Settings\History\History.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\Carrie_2\Local Settings\History\History.IE5\MSHist012007020420070205\index.dat	Object is locked	skipped

C:\Documents and Settings\Carrie_2\Local Settings\Temp\Perflib_Perfdata_a70.dat	Object is locked	skipped

C:\Documents and Settings\Carrie_2\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\Carrie_2\ntuser.dat	Object is locked	skipped

C:\Documents and Settings\Carrie_2\ntuser.dat.LOG	Object is locked	skipped

C:\Documents and Settings\Carrie_2\UserData\index.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped

C:\System Volume Information\catalog.wci\00000002.ps1	Object is locked	skipped

C:\System Volume Information\catalog.wci\00000002.ps2	Object is locked	skipped

C:\System Volume Information\catalog.wci\00010016.ci	Object is locked	skipped

C:\System Volume Information\catalog.wci\cicat.fid	Object is locked	skipped

C:\System Volume Information\catalog.wci\cicat.hsh	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiCL0001.000	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiP10000.000	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiP20000.000	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiPT0000.000	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiSL0001.000	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiSP0000.000	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiST0000.000	Object is locked	skipped

C:\System Volume Information\catalog.wci\CiVP0000.000	Object is

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with octet-stream files.

Report-Scan-20070204-232003.txt (1.22 KB)

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 3 · 2007-02-06T02:26:59+00:00

Hey P!Managed to get through these instructions without incidence. Thanks for making them so clear. I did remove the trusted sites, but have a problem (ie links don't open) with moving around within a site if the site is not listed in trusted. Drop downs for file selection such as to upload an attachment take eons to open. Not sure if related, but cd writer software doesn't recognize that a cd is inserted. Trying to think what else...Here are the new logs. Again, many thanks. Your help is greatly appreciated.

Happy to help!

Those problems do not make any sense with the steps we ran.
Sites should not have to be listed in the Trusted Zone for them to work properly
What is really wierd is that I am helping somebody in a different forum with a similar problem with uploading attachments in a few forums they visit..... Sounds like a javascript issue.....

Do This:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! (jre1.5.0_04 and any others)
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies.

Then, run ATF Cleaner again to flush the Java Cache.

-- You could try reinstalling the CD Writer software, but I do not think anything we did affected that....

I will double-check the logs when I get home tonight and we'll go from there.

PP :)

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 4 · 2007-02-06T07:52:39+00:00

In addition to my previous post, you sould really do the following:

First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_70_302_000_en.exe
Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html

-- Otherwise, the new logs look OK (we'll still need to flush System Restore after we finish).
You should delete this baddie that was still found by Kaspersky:
C:\Documents and Settings\Carrie_2\inetd.exe -- Infected: Backdoor.Win32.IRCBot.gen
Or, is this something you recognize?

-- About the Trusted Zone:
Are your IE Security Settings set so high that you need to put these known sites into the Trusted Zone? Did you change those settings?

Let me know.

PP :)

HJT Log - Please Help. Symptoms are...

Recommended Answers Collapse Answers

All 6 Replies

Recommended Answers