Author Topic: winlogon.exe infected. help! (Read 11982 times)

tonez · « **Reply #40 on:** March 14, 2009, 05:25:36 PM »

Ok here's a fresh new HJT Log.

One question though, Why did symantec started acting up earlier? about 100+ pop ups started showing up and it was all email proxy like this screenshot I found on google.
http://advait.supnekar.googlepages.com/desktopclutter.JPG

I hope there arent anymore malware that got thru.
------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:42 PM, on 3/14/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\regwiz.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inf\rundll33.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\afisicx.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sopidkc.exe
C:\WINDOWS\System32\tdctxte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\reader_s.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\regwiz.exe,C:\WINDOWS\System32\undname.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\System32\inf\rundll33.exe C:\WINDOWS\xccdf16_090313a.dll xccd16
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nidle] "C:\Documents and Settings\Owner\Application Data\nidle\nidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\System32\afisicx.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\System32\sopidkc.exe
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\System32\tdctxte.exe

--
End of file - 8418 bytes

guestolo · « **Reply #41 on:** March 14, 2009, 05:40:59 PM »

Did you scan that Flash drive?
If so, with what scanner?

Did you hook any other External drives to this computer?
Is this the Hijackthis log from your Desktop or Laptop?

tonez · « **Reply #42 on:** March 14, 2009, 05:59:47 PM »

I only plugged the flash drive when I transferred the updates. I scanned it and it wasnt infected, and that HJT is from my desktop. Pls let me know if I re-infected my PC so I can reformat again. This PC already shut off itself twice just now, so I'm starting to think that a virus snicked in.

guestolo · « **Reply #43 on:** March 14, 2009, 06:04:37 PM »

Is the Desktop and Laptop networked?
Something is reinfecting you, either your external drives
Or Recovery partition is infected, or networked folders

I'm guessing that the laptop also has been infected, but I can't be sure

If your laptop is also infected, it may be injecting itself into the download of the network driver

Can you post a Hijackthis log from the laptop

tonez · « **Reply #44 on:** March 14, 2009, 06:28:15 PM »

Okay this is the laptop. Should I just go on and reformat the desktop again?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:47 PM, on 3/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MSOFFI~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MSOFFI~1\Office12\ONBttnIE.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MSOFFI~1\Office12\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 8440 bytes

guestolo · « **Reply #45 on:** March 14, 2009, 06:45:42 PM »

Not sure why you keep running with more than one AntiVirus software on your computer
More than one active Virus scanner will cause system conflicts and considerably slow down the machine
I suggest that you keep the one your happiest with and uninstall the other
Afterwards, let's do a double check on the laptop

For the LAPTOP
Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

tonez · « **Reply #46 on:** March 14, 2009, 07:34:19 PM »

ComboFix 09-03-06.02 - Tonez 2009-03-14 17:03:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.99 [GMT -7:00]
Running from: c:\documents and settings\Tonez\Desktop\ComboFix.exe
FW: Windows OneCare Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Readme.txt

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 16:23 . 2009-03-14 16:23   <DIR>   d--------   c:\program files\Trend Micro
2009-03-10 17:18 . 2009-03-14 00:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-10 16:40 . 2009-03-10 16:40   <DIR>   d--------   c:\program files\Common Files\Macrovision Shared
2009-03-10 16:24 . 2009-03-10 16:24   <DIR>   d--------   c:\program files\7-Zip
2009-03-09 23:32 . 2009-03-09 23:32   <DIR>   d--------   c:\documents and settings\Tonez\DoctorWeb
2009-03-07 13:07 . 2009-03-07 13:07   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-03-07 13:07 . 2009-03-07 13:07   <DIR>   d--------   c:\documents and settings\Tonez\Application Data\Malwarebytes
2009-03-07 13:07 . 2009-03-07 13:07   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-07 13:07 . 2009-02-11 11:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 13:07 . 2009-02-11 11:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-03-05 21:05 . 2009-03-08 19:49   <DIR>   d--h-----   C:\$AVG8.VAULT$
2009-03-05 15:04 . 2009-03-05 15:04   325,640   --a------   c:\windows\system32\drivers\avgldx86.sys
2009-03-05 15:04 . 2009-03-05 15:04   107,912   --a------   c:\windows\system32\drivers\avgtdix.sys
2009-03-05 15:04 . 2009-03-05 15:04   10,520   --a------   c:\windows\system32\avgrsstx.dll
2009-03-05 15:03 . 2009-03-14 15:52   <DIR>   d--------   c:\windows\system32\drivers\Avg
2009-03-05 15:03 . 2009-03-05 15:03   <DIR>   d--------   c:\program files\AVG
2009-03-05 15:03 . 2009-03-05 15:03   <DIR>   d--------   c:\documents and settings\All Users\Application Data\avg8
2009-03-03 18:28 . 2009-03-03 18:28   <DIR>   d--------   c:\program files\kSolo
2009-03-03 01:57 . 2009-03-03 01:58   <DIR>   d--------   c:\documents and settings\Tonez\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 03:43   ---------   d-----w   c:\program files\PokerStars
2009-03-11 00:00   ---------   d-----w   c:\program files\Common Files\Adobe
2009-03-10 02:29   ---------   d-----w   c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-10 02:22   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee.com
2009-03-10 02:19   ---------   d-----w   c:\program files\Trojan Remover
2009-03-08 07:08   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-26 23:14   ---------   d-----w   c:\program files\Common Files\Adobe AIR
2009-02-26 23:13   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-02-26 23:08   ---------   d-----w   c:\program files\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2004-02-04 61440]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2006-02-23 200424]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2002-12-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1932568]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-05 15:04 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSMPSVC]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus.lnk
backup=c:\windows\pss\D-Link AirPlus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk
backup=c:\windows\pss\PowerPanel.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-02-04 13:29 61440 c:\program files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2002-10-18 16:58 114688 c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2002-11-23 18:52 294912 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 11:29 40960 c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2003-08-04 17:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-06-02 11:13 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 14:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 14:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-19 22:15 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
--a--c--- 2002-07-14 12:50 11406 c:\program files\support.com\client\lserver\Server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a--c--- 2001-09-04 17:24 28672 c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a--c--- 2002-03-14 17:46 45056 c:\windows\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Excursion9.4\\Excursion9.4.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-05 107912]
R1 MPSHLPR;MPSHLPR;c:\windows\system32\drivers\mpshlpr.sys [2005-10-26 106752]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-05 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 298264]
R2 MPSDrv;MPSDrv;c:\windows\system32\drivers\mpsdrv.sys [2005-10-26 82560]
R2 mpssvc;Microsoft Protection Service;c:\program files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe [2005-10-27 836328]
R3 LMPC2;LMPC2;c:\windows\system32\drivers\lmpc2.sys [2004-09-28 4224]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-01-02 71961]
S2 mrtRate;mrtRate;

S3 PRISM;IEEE 802.11 Wireless NIC Driver;c:\windows\system32\drivers\EXPRESS.sys [2003-01-02 614912]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2003-04-16 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2003-04-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 00:56]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-bcachew - c:\windows\System32\bcachew.exe
MSConfigStartUp-gcasServ - c:\program files\Microsoft AntiSpyware\gcasServ.exe
MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\wcescomm.exe
MSConfigStartUp-hzfmhepp - c:\windows\System32\rhfacvdo.exe
MSConfigStartUp-INTLGNTT - c:\windows\System32\INTLGNTT.exe
MSConfigStartUp-McAgentexe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McUpdateexe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-rmturad - c:\windows\rmturad.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-WhenUSave - c:\progra~1\Save\Save.exe
MSConfigStartUp-_1251c - c:\windows\System32\_1251c.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\msoffi~1\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Tonez\Application Data\Mozilla\Firefox\Profiles\1xixlnab.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 17:07:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2009-03-14 17:14:17
ComboFix-quarantined-files.txt 2009-03-15 00:12:56

Pre-Run: 2,224,603,136 bytes free
Post-Run: 2,931,671,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

229

guestolo · « **Reply #47 on:** March 14, 2009, 08:03:38 PM »

Does Norton's have a Firewall?

Do you have the Laptop and Desktop networked together?

DESKTOP INFORMATION:
Do you only have the C: partition and D: for Recovery partition?

Do you have any other External drives hooked to the desktop?

Insert the Flash drive to the desktop
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Take a look at the contents of the Flash drive
Look at the file extensions, do you have any other extensions backed up besides music files
Text documents

Any zipped files?

Are there ANY .exe or .scr files?
You should see an autorun.inf Folder
Inside that folder should be a file labelled "This folder was created by Flash Disinfector"
Do you see it?

Is your Wireless Router have security enabled and are you using strong passwords?

tonez · « **Reply #48 on:** March 14, 2009, 08:58:36 PM »

I did another destructive system recovery just to be safe, but let me answer your questions.

[quote name=\'guestolo\' post=\'459513\' date=\'Mar 14 2009, 05:03 PM\']Does Norton's have a Firewall?

I think this norton came with the computer and it ma y have it but outdated.
Do you have the Laptop and Desktop networked together?

Nope

DESKTOP INFORMATION:
Do you only have the C: partition and D: for Recovery partition?

Yes

Do you have any other External drives hooked to the desktop?

I havent hooked up my external harddrive since the time you told me not to.

Insert the Flash drive to the desktop
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Take a look at the contents of the Flash drive
Look at the file extensions, do you have any other extensions backed up besides music files
Text documents

Any zipped files?

Are there ANY .exe or .scr files?
You should see an autorun.inf Folder
Inside that folder should be a file labelled "This folder was created by Flash Disinfector"
Do you see it?

I actually did all of this just now in this laptop, and also deleted all of my files in it afterwards except for that autorun.inf folder with Flash Disinfector in it. They were just school documents anyway and the update drivers from earlier.

Is your Wireless Router have security enabled and are you using strong passwords?

This I am not sure of. I havent really messed with the router. The wireless is not password protected so anybody can leech off my connection ( I dont know how to set it up)
[/quote]

guestolo · « **Reply #49 on:** March 14, 2009, 09:28:02 PM »

Your Router should of came with documentation to properly set up the Security on it!

Do the following please
From the laptop, redownload your Ethernet drivers from the following link and save it to the USB Flash drive
http://h10025.www1.hp.com/ewfrf/wc/softwar...5454&os=228

We'll need them later:
Just to be safe, go to
go to this link
http://www.virustotal.com/flash/index_en.html
Browse to the file for your Ethernet driver on the Flash drive and ensure it's clean

Remove the flash drive from the laptop afterwards

Back at the desktop
Disconnect the Network cable from the Desktop to the Router, DO Not hook this up till the next set of instructions are done
Your going to have to redo the Destructive Recovery (Make sure your doing the Destructive)

Once done, transfer the file from the flash drive to the desktop computer
Install it as you did before, but ONLY install the Ethernet Controller for now

If you have a Wireless network card in the Desktop, don't enable it for now

Let's get the Firewall enabled for XP
# Click Windows Start.
# Do one of these:

* Category view: select Control Panel, then Network and Internet Connections.
* Classic view: select Settings, then Control Panel.

# Click Network Connections, and then double-click the network icon for your network connection.
# Click the Properties button, and then select Advanced tab.
# Check the box under Internet Connect Firewall. and OK it

Now you can reconnect the Network cable from the Desktop to the Router
If you don't get Internet connection with 30 seconds, reboot the computer

Come back here immediately and post a Hijackthis log
Let's see if it looks clean, then we can try and start to get the machine secure

Quote

I did another destructive system recovery just to be safe, but let me answer your questions.

Edit>>Have you reinstalled your Ethernet driver yet?
You can skip the part I mentioned above about destructive recovery for now

tonez · « **Reply #50 on:** March 14, 2009, 10:44:22 PM »

I've actually done all of those and got the internet working without using the flash drive on the desktop. I let it install anyway even after a warning of a possible error later.

After doing all those, I went online and downloaded a program that I found called SuperAntispyware. At the same time while i was doing all of this, I shut off the laptop to make sure theres no network between the computers. It scanned these viruses that I took with my cellphone cam, the PC then restarted itself even before it finished scanning.

At the same time, the Norton Anti virus scanner was blocking those pop-ups I mentioned earlier.

I think the culprit here is my D: recovery partition because this second time I did it, I made sure that no flash, external drive werent connected, laptop was turned off and once I was on my desktop, Norton firewall started showing those pop-ups about email proxy.

guestolo · « **Reply #51 on:** March 14, 2009, 11:07:07 PM »

Can you try the following

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Run the scanner, let it finish the express scan, then select Custom Scan and only select your Recovery partition (D:)

tonez · « **Reply #52 on:** March 15, 2009, 01:24:49 PM »

Well I ran CureIt last night and did quick scan, full scan and custom scan. My D: drive was infected by virut.56 and they were all cured. Nothing else was found. I even double checked it with a Superantispyware. The C: drive though had more infections and most files were cured, deleted and moved.

http://uploading.com/del/A83DPPY87JYXPG/DrWebupdate.txt.html
I'm providing you the log from DrwebCureIt as well as this interesting screenshot. I checked why I couldnt get back online last night, and I noticed the network has added these WAN miniport on top of the nVidia.

I also received this message from my internet provider (roadrunner) when I was using internet on my laptop. probably from last nights activity on my desktop. It was doing a lot weird things. http://uploading.com/files/YGZ3TVO3/roadrunner.txt.html

Now I'm going to do a clean install for the third time. Third times a charm. I hope my recovery partition isnt infected by any other viruses.

guestolo · « **Reply #53 on:** March 15, 2009, 03:06:18 PM »

The first link to the Dr. Web scan was incorrect, you sent a link to the Upload section to delete file
So it's of no use to me

Hopefully, that cured the files in the D: drive
I suspect, that because you didn't do a Destructive recovery the first time around
You allowed Virut to infect the Recovery partition

If your next clean install doesn't work, you may have to order CD's
Unfortuneately, I don't think HP has your disks on hand, but you may be able to find them around the net
Then you would have to destroy that recovery partition and install from the Recovery Cd's

OR; we could try Dr. Web a different way, and ensure that you get Service pack 3 installed, BEFORE you reconnect to the Internet
But you will have to follow certain steps, and it's still not a guarantee

Try doing the clean install once again, if you can
Ensure your Firewall is ENABLED before connecting to the Internet, I'm not sure if Norton's was totally functional
It's also outdated

If everything goes alright this time, I need to see that fresh Hijackthis log, in addition, I asked for an uninstall list which you did not supply

It would help to see some of these logs, that Cureit log would of been of great help, but I think it's too late now

tonez · « **Reply #54 on:** March 15, 2009, 03:52:01 PM »

Okay the third clean install was a charm. I did not get network or realtek error just like before. It was a smooth clean install. No errors but just a one time shut off and this was when I first ran drwebcureit.

Here are logs of the three programs.
These are the only potential viruses scanned by drwebcureit that I have all moved.

Quote

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
RealBar.dll;C:\Program Files\Common Files\Real\Toolbar;Adware.MegaSearch;Incurable.Moved.;
A0000064.vbs;C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP0;Probably SCRIPT.Virus;Incurable.Moved.;
A0001013.exe;C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP0;Tool.ProcessKill;Incurable.Moved.;

I've googled them like killwind.exe, and they seem safe files.

**This one is combofix log. it did not scan anything.

Quote

ComboFix 09-03-14.02 - Owner 2009-03-15 12:32:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.324 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-15 11:21 . 2009-03-15 11:21 0 --a------ c:\windows\nsreg.dat
2009-03-15 10:47 . 2009-03-15 12:31 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb
2009-03-15 10:41 . 2009-03-15 10:41 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-15 10:39 . 2009-03-15 10:39 4,172 -rahs---- c:\windows\system32\drivers\HP_DW257A-ABA SR1050N NA510_YC_Pres_QMXM412_E42NAheREG3_4_IExplorer4_SASUSTeK Computer INC._VRev 1.xx_B3.01_T040210_WXH1_L409_M512_J200_7AMD_8Athlon XP 3200+_92.19_110DE006E_N10DE0066_P_Z11C1044C_K_A10DE006A_U10DE0067.MRK
2009-03-15 10:38 . 2004-01-27 06:18 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-03-15 10:38 . 2004-01-28 00:26 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-03-15 10:38 . 2004-01-27 05:57 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Sonic
2009-03-15 10:38 . 2004-01-27 06:55 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-03-15 10:38 . 2004-01-28 00:29 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\interMute
2009-03-15 10:37 . 2009-03-15 10:37 <DIR> d-------- c:\program files\Yahoo!
2009-03-15 10:37 . 2001-12-10 17:42 204,800 --a------ c:\windows\system32\IVIresizeW7.dll
2009-03-15 10:37 . 2001-12-10 17:42 200,704 --a------ c:\windows\system32\IVIresizeA6.dll
2009-03-15 10:37 . 2001-12-10 17:42 192,512 --a------ c:\windows\system32\IVIresizeP6.dll
2009-03-15 10:37 . 2001-12-10 17:42 192,512 --a------ c:\windows\system32\IVIresizeM6.dll
2009-03-15 10:37 . 2001-12-10 17:42 188,416 --a------ c:\windows\system32\IVIresizePX.dll
2009-03-15 10:37 . 2001-12-10 17:42 20,480 --a------ c:\windows\system32\IVIresize.dll
2009-03-15 10:36 . 2009-03-15 10:36 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-15 10:36 . 2009-03-15 10:36 <DIR> d-------- c:\program files\Multimedia Card Reader
2009-03-15 10:36 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2009-03-15 10:36 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2009-03-15 10:35 . 2009-03-15 10:35 <DIR> d-------- c:\program files\ATI Technologies
2009-03-15 10:35 . 2004-01-27 06:18 <DIR> d-------- c:\documents and settings\Default User\WINDOWS
2009-03-15 10:35 . 2002-08-29 02:06 51,072 --a------ c:\windows\system32\drivers\i8042prt.sys
2009-03-15 10:35 . 2002-08-29 01:27 23,424 --a------ c:\windows\system32\drivers\kbdclass.sys
2009-03-15 09:30 . 2009-03-15 10:46 248 --a------ c:\windows\system\hpsysdrv.dat
2009-03-15 09:28 . 2009-03-15 09:29 <DIR> d-------- c:\windows\I386
2009-03-15 09:21 . 2009-03-15 11:20 <DIR> dr------- C:\Program Files
2009-03-15 09:21 . 2009-03-15 09:27 <DIR> dr------- c:\documents and settings\All Users\Documents
2009-03-15 09:20 . 2009-03-15 10:39 <DIR> dr-hsc--- c:\windows\system32\dllcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 18:45 --------- d-----w c:\program files\Easy Internet signup
2009-03-15 18:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 18:37 --------- d-----w c:\program files\InterVideo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-27 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-27 151597]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 70816]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 135168]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 c:\windows\ALCXMNTR.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-01-27 16384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

S2 mrtRate;mrtRate;

--- Other Services/Drivers In Memory ---

*Deregistered* - DwShield00007E84
.
Contents of the 'Scheduled Tasks' folder

2004-01-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-19 00:17]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)
HKLM-Run-VTTimer - VTTimer.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: SpSubLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cgd1bkiu.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 12:33:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\SpSubLSP.dll
c:\windows\System32\dssenh.dll
.
Completion time: 2009-03-15 12:34:40
ComboFix-quarantined-files.txt 2009-03-15 20:34:38

Pre-Run: 188,652,871,680 bytes free
Post-Run: 188,662,820,864 bytes free

128

**HJT Log****

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:35 PM, on 3/15/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

--
End of file - 5874 bytes

My norton isnt acting up like before and my pc seems stable now. I think I'm probably clean now. I will wait for other instructions but for now I'm going to update my video driver and such.

I don't know how or where to get sp2 or sp3, and proper instructions to scan and disinfect my external harddrive. I'm not going to connect that yet.

I also need, if there are any, free firewall. A firewall similar to windows OneCare that I can monitor which programs can access the internet. This norton that came with the computer only has a month trial. Maybe Ill just get the free version of AVG?

I will wait for your instructions.

tonez · « **Reply #55 on:** March 15, 2009, 04:38:24 PM »

Just an update.

I've installed drivers, flash, and windows sp2 update. I dont think windows-update alerted me for sp3. So far, there hasnt been any weird activities that i came across with.

edit>> updates.microsoft.com is now letting me update to SP3.

guestolo · « **Reply #56 on:** March 15, 2009, 07:51:17 PM »

Well, it sounds like everything is going alright, once you have all your Windows Updates
Can you come back here and post a fresh Hijackthis log
No sense trying to do anything till then

DO NOT install more than One AntiVirus and one Software Firewall
I'm not sure if you need a hand with any of that.
Keep me updated

tonez · « **Reply #57 on:** March 15, 2009, 08:33:47 PM »

Here you go. I'd like to know if its safe for me to plug my external harddrive in?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:35 PM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6908 bytes

guestolo · « **Reply #58 on:** March 15, 2009, 09:04:06 PM »

Can you post that uninstall list from Hijackthis please
Let's see what we can update and remove

Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

In addition, we can get you an updated Firewall and AntiVirus>>Were you happy with AVG?

tonez · « **Reply #59 on:** March 15, 2009, 09:47:51 PM »

Here you go..

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
Catalyst Control Center - Branding
CC_ccStart
ccCommon
Compaq Connections
Compaq Instant Support
Compaq Organize
Counter-Strike: Source
Easy Internet Sign-up
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.0.7)
MSRedist
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
MUSICMATCHÂ® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
NVIDIA Ethernet Driver
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
RealOne Player
RecordNow!
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Slyder from Compaq (remove only)
Sonic Update Manager
SpamSubtract
Steam
SymNet
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player (Remove Only)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
World of Warcraft FREE Trial
Yahoo! Companion
Zone Deluxe Games
Zune Desktop Theme

-----
I havent downloaded AVG. The program doesnt seem to be that good compared to the ones you told me to use (drweb, combofix, HJT)

News:

Author Topic: winlogon.exe infected. help! (Read 11982 times)