Posts by OutbreaK

Greetings,

My laptop was infected with the Rogue Malware called Internet Security 2013. I had some success in removing it after using Malwarebytes, but there are corruptions that linger. For instance, my Microsoft Security Essentials was not recognizing the only user as the administrator. I fixed this by entirely removing MSE with Microsoft's fix it program; however, I'm now unable to reinstall MSE--even from a flash drive. It is an installation error (probably due to lingering corruption) and not a download error. Of second order is the problem with Internet Explorer. With the infection of the rogue software, IE9 began to refuse everything I tried to download (firefox[second browser], all antivirus/anti-malware software) as a virus and rejected it. I am able to use firefox (once again, ported from a flash drive) and download anything including software.

I have run several different programs and each has either found something that another did not find or has come up clean.

Malwarebytes
Security Check
AdwCleaner
RogueKiller
Microsoft Fix It
RKill
DDS 

Let me know which logs are desired.

Thanks a bunch,

-OB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:43 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\Misc\W3XNameSpoofer12201.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
…

Question, if you have Spyware Doctor with Anti-Virus then where is it? It doesn't show as running in your HJT log? It shows NO anti-virus program. There are some great FREE anti-virus programs out there just because it is a paid program doesn't make it better, doesn't make it bad either but I would like to know why the one you have doesn't show in running processes.
Judy

I had it disabled cause you asked me to disable everything when I was running all those programs. I havn't been on the internet except to post here so I left them off.

Looks ok to me, are things running better?

There's nothing I can tell that's wrong with it. My system seems to be moving slower, though. Might just be firefox I'm using now as opposed to IE. With noscript and adblock and what not.
Everything seems to be good, though. Uninstalled all my other Anti-virus programs except Spyware Doctor with Anti Virus which I just bought the other day. Do you think that's a suitable anti virus or should I get a higher quality name brand like McAfee or an updated Norton?

Well, the version of Norton I have is from 2006 and I didn't ever update it. I just uninstalled it because I bought Spyware Doctor which comes with an antivirus service. AVG 8 was uninstalled months ago and I must of missed a file. HJT seems to have removed it. Here's the current file with what you ask completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:15 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

Ok. I ran MBA-M again. Nothing was infected according to it. I also installed the new Java. Incase you missed my post above, should I still be worried about the delself.dat, brastk.exe files that were originally on my system?

Ok, so Karna.dat was a bad file. I'm still curious about that delself.dat and something called Brastk.exe that are apparently linked. By my HJT log are you able to tell that they're gone? I'm running MBA-M with the update again and will get to java after it.

OK, Well your Combo Fix shows deletion of Files in the Temporary Files Folder.

So can you pls follow the ATF Cleaner Instructions in this thread.

Once you have run ATF Cleaner, can you pls run Hijackthis again and post a fresh log.

Thankyou,

Cohen

I ran ATF and the windows malicious file remover as directed in that post, Cohen. Here's the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:53 PM, on 11/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program …

These were the results for each of the files you asked me to scan, Judy.They all found nothing on each file. I'm starting to worry here. :'(

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Ok, I ran the program after disabling everything. However, when it restarted there was a norton antivirus question asking me if I wanted to allow psexec.cfexe to run. I googled it and denied it. Apparently it's linked to this rogue antivirus program that tried to get me. Here's the log.

ComboFix 08-11-19.08 - HP_Administrator 2008-11-20 13:09:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.401 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\curuk.reg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\enylub.lib
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\osuk.lib
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\oxorepe.lib
c:\documents and settings\MCX1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\disk.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-18 21:14 . 2008-11-18 21:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 21:14 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 21:14 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 20:47 . 2008-11-18 20:47 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-18 20:45 . 2008-11-18 20:45 <DIR> d-------- c:\windows\ERUNT
2008-11-18 20:27 . 2008-11-18 21:04 <DIR> d-------- C:\SDFix
2008-11-18 18:23 . 2008-11-18 18:23 <DIR> d-------- c:\program files\Trend Micro
2008-11-18 13:44 . 2008-11-18 13:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-11-18 13:44 . 2008-11-18 13:43 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys

Hey again. Thanks for finding out how to disable that, but I had completely shutdown PC Doctor and rebooted my PC before I checked back here. I was able to update MBA-M and rerun it and both HJT. Here are the logs, but it seems nothing had to get fixed.

Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 5.1.2600 Service Pack 3

11/19/2008 6:35:43 PM
mbam-log-2008-11-19 (18-35-43).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 170751
Time elapsed: 54 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:24 PM, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

Ok, first you need to turn off the following and leave them off;
Spyware Doctor
Registry Mechanic
Spybot TeaTimer
I don't use the top two programs so I am not certain how to turn them off and keep them off but all three start when the computer is booted up so this must be stopped also.
For TeaTimer do the following, open Spybot, select Advanced Mode, Tools, Resident. Take the check mark out of TeaTimer. Close the programs and reboot.
This feature of the program can interfere with fixes done with HJT and frankly is more trouble than it is worth.
After you have turned off all three of those programs I would like you to update MBA-M once more and again run a Full System scan with it. Allow it to remove everything it finds, save the log and post back here with it along with a new Full Scan log from HJT.
Judy

I uninstalled both Registry Mechanic. I'm unsure how to disable pc doctor to your satisfaction though. I disabled "Intelliguard Protection" and Computer immunization reads as "OFF." I'm unsure if this makes it off or not, though. Can't seem to find anything googling, either.

Did you run SDFix in Safe Mode?

Yeah, just as instructed.

Hey, Judy. Thanks for replying. I want to mention something I did that I forgot to mention before. I deleted that file delself.bat in the recycle bin before ever attempting to remove it. I bring this up in case it had any effect on your method of removal. Anyhow, here's all three logs.

SDFix: Version 1.240 
Run by Administrator on Tue 11/18/2008 at 08:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:


C:DOCUME~1HP_ADM~1COOKIESENIK.BIN - Deleted
C:DOCUME~1HP_ADM~1COOKIESASAHIR._SY - Deleted
C:Documents and SettingsAll UsersDocumentsamozufas.scr - Deleted
C:WINDOWSsystem32wini10881.exe - Deleted
C:WINDOWSsystem32_scui.cpl - Deleted


Removing Temp Files


ADS Check :


Final Check :


catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 20:59:24
Windows 5.1.2600 Service Pack 3 NTFS


detected NTDLL code modification:
ZwClose


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessptdCfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0


scanning hidden registry entries ...


[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionMSSYCLM]
"Start"=dword:b9449bde


scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:


[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:Program FilesDISCDISCover.exe"="C:Program FilesDISCDISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:Program FilesDISCDiscStreamHub.exe"="C:Program FilesDISCDiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:Program FilesDISCmyFTP.exe"="C:Program FilesDISCmyFTP.exe:*:Enabled:DISCover FTP"
"C:Program FilesUpdates from HP9972322ProgramUpdates from HP.exe"="C:Program FilesUpdates from HP9972322ProgramUpdates from HP.exe:*:Enabled:Updates from HP"
"C:Program FilesEarthLink TotalAccessTaskPanl.exe"="C:Program FilesEarthLink TotalAccessTaskPanl.exe:*:Enabled:Earthlink"
"C:Program FilesLimeWireLimeWire.exe"="C:Program FilesLimeWireLimeWire.exe:*:Enabled:LimeWire"
"C:Program FilesHPDigital Imagingbinhpqtra08.exe"="C:Program FilesHPDigital Imagingbinhpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:Program FilesHPDigital Imagingbinhpqste08.exe"="C:Program FilesHPDigital Imagingbinhpqste08.exe:*:Enabled:hpqste08.exe"
"C:Program FilesHPDigital Imagingbinhpofxm08.exe"="C:Program FilesHPDigital Imagingbinhpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:Program FilesHPDigital Imagingbinhposfx08.exe"="C:Program FilesHPDigital Imagingbinhposfx08.exe:*:Enabled:hposfx08.exe"
"C:Program FilesHPDigital …

Hi. Recently I accidentally clicked on a website in google search that locked my Internet Explorer up to a point where it wouldnt close but it kept on executing whatever process it does to infect my computer. The File was called DelSelf.bat I believe. I tried to google it but apparently it had installed a rogue antivirus program that tried to get $50.00 out of me and kept denying me access to other websites. Eventually, I looked into PC Doctor and bought that after getting multiple reviews on how it worked and how it was legit. Now I feel like an idiot because I'm still unsure if it's safe for me to use my credit card online. I feel like something may still be lurking. Would you mind reviewing this HJT log and responding on anything unusual you see? Would be much appreciated.

-Outbreak

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:37 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe

My computer has been randomly crashing at times, and I can't figure out why. It would display numbers quickly on a blue screen and fade out. I did a system restore and it booted me back to SP1 because that what came with my computer. If i ran HJT and other things could you possibly tell me why and what to do? A lot of my programs won't start and when i drag a window accross the screen it goes in sliding phases instead of a smoothe drag like before. Thanks.

When I hold both left and right mouse buttons down at the same time, the mouse shuts off after 20 seconds. I need to disable this because I play a game inwhich running involves holding both down. Has anyone had the same trouble for any other reason? I assume this is a feature inwhich may have a way to disable it. Might anyone have a solution? The HP sites have not helped and when I google it brings me to a Mighty Mouse page listing everytime. Thanks

HP Product No. P2360AA
FCC ID:35XMS5219CRF
MODEL: 5219CRF
INPUT: +3V- - -80Ma

If that helps, that's information on it.:)

Hmm, I ran Windows Live One Care and the annoying icon seems to be gone, I'm sorry to bother. Thanks anyway :-)

I do have one other problem, which might be directed to another thread, and if it is, could someone please point me there? When I hold down left and right click on my HP Wireless Laser Mouse, after 20 seconds the mouse turns off and the action locks, and it keeps going as if I was still pressing it, and i have to right click for it to stop. I've googled for about an hour and no sites seem to have this problem. If any of you have a solution, or the right thread to point me to if there is one, that'd be great. It might even be a feature of the mouse, but I can't find where to turn it off/on and what not. If this community has no solution, I'm sorry to bother.

Greetings, once again. Last time my problem was unable to be resolved, and I'm back once again. It's the Spyquakeware stuff I believe, and I'm still unable to resolve it. Last time Tayspen was very patient and tried to help me, at which time he told me to look for a second opinion. I noticed 'Stein is back, and well, now I'm looking.

Problem

There is an icon with the words "Virus Alert!" in the bottom right of my task bar, that has a miniture popup which looks like this. When I click it, it brings me to spyquakeware or whatever.

[IMG]http://i33.photobucket.com/albums/d85/Tassus/VirusThing2.jpg[/IMG]

If you could provide me with the links to all the programs and if either one of you have useful advice, I could really use it. I really don't know what to do, Spybot S+D doesn't pick it up, which I was told was the best spyware hunter out there. Please, if anybody whos knows a good amount could help, I'd greatly appreciate it. I've tried a few other websites and nobody seemed to have anything that helped. I had a problem in the past and this site helped me then, so I find this most reliable. Thanks :D

I did run SmitFraudFix clean in safemode before I replied here, so that might of killed off something you should of seen. It alteast removed spywarequake or whatever. Well thanks

To be more specific, this is what it looks like :mad:

Any ideas?
[IMG]http://s33.photobucket.com/albums/d85/Tassus/VirusThing.jpg[/IMG]

Looks clean to me

So there is no way to rid of this blinking sign that says Virus Alert! and the pop-up ever 40 seconds?

You do need to update to Windows, Service pack 2. As of now you are running SP1, making you very vulnerable to attack. Not only does SP2 offer numerous more features, but tons more security!

Yeah, I know. Just been dreading a long install. Silly me.:rolleyes:

You also need to update IE. Or better yet, get firefox. Firefox is more secure, and offers many more features.

Yeah, I know! It's great, I've had firefox for a few days.

Well, thanks Tayspen, so very much! I am still concerned about this popup activity. It's a little red Cancel sign and a blue circle with a white question mark inside. Even if I show no signs of being infected, is there something I can run to possibly flush it out?

Thanks again, you've been a big help thus far :)

I hope this is it!:lol:

Ewido Scan Report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:00:31 PM, 6/14/2006
+ Report-Checksum: 34532C23

+ Scan result:

:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aqy2t5jr.default\cookies.txt -> …

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:56:42 AM, on 6/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\S3tray2.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 …

I hope this tells something :-)

Logfile of HijackThis v1.99.1
Scan saved at 3:54:04 PM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\S3tray2.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Junk\StealthBot v2.6R3.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Starcraft\StarCraft.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV CfgWiz] …

Hello, I was recently believing I was installing a Windows Media Codec but Spybot picked it up ad a v.codec Media 4 or something and other.. I tried to remove it with it, but the SpywareQuake Icon comes up and I tried to remove it with SmitfraudFix. That is gone, but Virus Alert! with an annoying 20-40 second pop-up remains here. I have Ewido, CCleaner, SmitfraudFix and HJT for if I need them in the removal process. Any help would be greatly appreciated:confused:

Thanks.

OutbreaK