Question

Malware just won't stay out, can't find the trigger!!!

Asked by: yellow1053

I'm trying to rid some malware from an XP laptop. I thought I had it all out last week, but got a call back, it came back with a vengeance! it keep replicating files with "j0e" in the middle of them. it disables (actually removes) some of the tabs from the display properties ( I know how to get them back). I have found the following files that I know are related: ".tt9.tmp.vbs" "eg783j.syz" "braviax.exe" "plphclo3j0ej79.scr" "plphclo3j0ej79.bmp" "asnfgy.syz"
I've taken these out of the windows/system32 folders, the windows/prefetch folder, the registry, and anywhere else I could find them, but they keep coming back. Windows Outlook has stopped working as a result of these malware's. Norton's is updated and finds some of the things, but not all. has anyone had experience with this particular infection? Below is the hijackthis logfile. thanks for any help you can offer.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:10:01 PM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lphclo3j0ej79] C:\WINDOWS\system32\lphclo3j0ej79.exe
O4 - HKLM\..\Run: [SMshcjo3j0ej79] C:\Program Files\shcjo3j0ej79\shcjo3j0ej79.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sp.local
O17 - HKLM\Software\..\Telephony: DomainName = sp.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sp.local
O21 - SSODL: AlATdKGy - {D069857C-7AC3-2FD6-5C42-77B8B1CAC590} - C:\WINDOWS\system32\poz.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\jritcey\My Documents\Executables\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8419 bytes

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-07-10 at 22:05:24ID23556258
Tags

Microsoft

,

Windows XP

,

SP2 (winnt 5.01.2600)

Topics

HijackThis Software

,

Outlook Groupware Software

,

Windows Network Security

Participating Experts
3
Points
500
Comments
20

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. HijackThis Log
    Need specific Removal instructions for this log: Logfile of HijackThis v1.99.1 Scan saved at 5:32:00 PM, on 03/23/2005 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system3...
  2. HijackThis log
    Can someone tell me if anything from this hijackthis log needs to be removed? Even with firewall and anti-virus running I still got hit with adware and a virus. I already removed kernels32.exe from a previous hijackthis log and ran ad-aware in safe mode. But I'm still having ...
  3. MALWARE
    HI ALL I HAVE A MALWARE PROBLEM OR SOMETHIG LIKE THAT I HAVE A RESIDENT UCLEANER PROBLEM THAT ASK ME TO BUY EVERY TIME ASLO A ERROR SAFE I CANT DEAL WITH IT , I USE A LOT OF ANTI SPAM, ANTI VIRUS, ETC BUT NOTHING MY SOLUTION WAS DELETE DE DOCUMENT AND SETTINGS USERS AND STA...
  4. Hijackthis Log
    Ok I scanned my computer with hijack this here is the log: I get popups like crazy on this computer!!!! What needs deleted? Logfile of HijackThis v1.99.1 Scan saved at 3:08:23 AM, on 8/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6....
  5. HijackThis: smitfraud?
    rpggamergirl recently gave a solution to a fellow with a smitfraud problem that sounds just like mine. I was about to follow her instructions but thought I should post my own HijackThis log to be sure I'm not jumping to conclusions. I think the problem is in the Video Activ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: rpggamergirlPosted on 2008-07-10 at 23:11:41ID: 21980276

Hi,
Download and run SDFix and show us a fresh Hijackthis after to review, you might need other tool as well.

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
* Open the extracted folder and double click "RunThis.bat" to start the script.
* Type "Y" to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

 

by: rpggamergirlPosted on 2008-07-10 at 23:14:04ID: 21980282

On second thought, use this tool first,
Standalone bagle remover.
http://download.bleepingcomputer.com/sUBs/Beagled.exe

 

by: rpggamergirlPosted on 2008-07-10 at 23:17:01ID: 21980291

After running Bagle remover, and SDFix, you might need to run Combofix as well.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

by: torimarPosted on 2008-07-10 at 23:22:36ID: 21980312

This is not the newest version of HJT you are using. You may want to rescan with the actual scanner.

Also, download SmitfraudFix.exe (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) and give it a try in analysing and repairing the infected system.

In order to get rid of the remote controlling psexesvc temporary service, do this:
sc.exe query psexesvc
sc.exe delete psexesvc
sc.exe query psexesvc
del %windir%\psexesvc.exe

The person/worm who is using Psexec against the infected machine (thus creating the temporary psexesvc service) must have admin rights. Check for suspicious user accounts and change administrator passwords.

The suspicious files in your log are:
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
O4 - HKLM\..\Run: [lphclo3j0ej79] C:\WINDOWS\system32\lphclo3j0ej79.exe
O4 - HKLM\..\Run: [SMshcjo3j0ej79] C:\Program Files\shcjo3j0ej79\shcjo3j0ej79.exe
O21 - SSODL: AlATdKGy - {D069857C-7AC3-2FD6-5C42-77B8B1CAC590} - C:\WINDOWS\system32\poz.dll (file missing)
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)


Apart from SmitfraudFix you could try scans with Malwarebyte's Anti-Malware (http://www.malwarebytes.org/mbam.php) and ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) - make sure to follow the HowTo on this one.

Good luck.

 

by: rpggamergirlPosted on 2008-07-10 at 23:40:03ID: 21980353

Hi torimar,
If you're picking all the bad entries, this one below is also bad belonging to an SDBot infection, which SDFix should take care of.
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe

But, this one below is a legit program.
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe

This one below is legit as well, but only the user knows if the file is really gone or not as "file missing' in hijackthis 023 entries is not always true because of the hijackthis bug.
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
Maybe the file really is missing because of the display name being not 'Sysinternal'. Or if the user never did use "PsExec" then that could be a bad entry.

 

by: yellow1053Posted on 2008-07-11 at 00:24:18ID: 21980513

Wow, Thanks everyone, I'll try to do all these tomorrow and get right back to you.
Jim.

 

by: torimarPosted on 2008-07-11 at 02:52:22ID: 21981018

Hi rpggamergirl,

yes, you are right. I mixed up those two entries: "cssrss.exe" should have been in for sure, "reminder.exe" should have been left out. I only added that list for the sake of completion, assuming that yellow1053 already knew about most of them.

As to the 'psexec' issue, I think this might be one possible explanation for the bad files' mysterious returning: a remote process is recreating them every once in a while.

I remember having read about the "Coreflood Trojan" using a similar method, and that trojan seems to be on the wild these days.
I had no time to search extensively, so I can not serve with any better page than this:
http://www.exterminate-it.com/malpedia/remove-coreflood


 

by: torimarPosted on 2008-07-12 at 16:28:11ID: 21990705

I found some removal instructions, posted by a sysadmin whose network was infected a week ago:

--Quote--

Seeing there was very little information i could find on the time of the problem, these were the steps we took to clean up our affected PC's.

1. Implemented a GPO that enabled the windows firewall client with the nessasary exceptions. This definitely stopped the PC's from being re-infected.
3. We implemented a basic script to give us a list of PC's that had the psexec service installed on the logon script (we do not use this service at all)
2. We did a system restore on the affected PC, before the date that the network was affected and did not have the psexec service installed.
3. Win2003 servers/ PCs that wouldnt rollback - We had to manually remove the service using the "sc.exe delete psexesvc" from the command prompt.
4. Stopped service if running and deleted the psexesvc.exe for %windir%\
5. Deleted the prefetch file located in %windir%\prefetch
6. Ran a full AV scan on all our PC's and servers.

*only logon to the PC's on your network using the local admin account when sorting out this problem. Any domain admin accounts or such can cause your network to be reinfected when they logon to a PC thats infected with the Coreflood Trojan virus.

I'm not claiming this is the way to remove the problem, its just the method we used with limited info.

-- End quote--

Source: http://forum.sysinternals.com/forum_posts.asp?TID=15204&PN=2

Hope this helps.

 

by: yellow1053Posted on 2008-07-12 at 18:25:49ID: 21990978

HI All, thanks for all your help. I ran all of the suggested programs, and three of them found and fixed things. the Beagle didn't. Now the computer is completely free of all that malware, however some of the damage they did is still apparent. Microsoft Outlook won't connect to get the mail anymore, and sometimes locks up the computer after trying. and Internet Explorer keeps freezing up in the middle of using it. sometimes it won't even open up. Here are three log files that were generated by my repairs. First is the ComboFix one, then the Mbam one, and lastly, the updated HJT program log.

ComboFix 08-07-10.1 - jritcey 2008-07-11 21:02:59.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2965 [GMT -4:00]
Running from: C:\jim jr\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\jritcey\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\jritcey\Application Data\rhcgo3j0ej79
C:\Documents and Settings\jritcey\Application Data\shcjo3j0ej79
C:\Program Files\shcjo3j0ej79
C:\WINDOWS\system32\oeminfo.ini

.
(((((((((((((((((((((((((   Files Created from 2008-06-12 to 2008-07-12  )))))))))))))))))))))))))))))))
.

2008-07-11 20:40 . 2008-07-11 20:40      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-07-10 22:07 . 2008-07-10 22:07      197      --a------      C:\WINDOWS\system32\MRT.INI
2008-06-30 23:20 . 2008-06-30 23:28      <DIR>      d--------      C:\Documents and Settings\jritcey\Application Data\OfficeUpdate12
2008-06-29 22:29 . 2004-10-07 21:16      35,840      --a------      C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-06-29 22:27 . 2003-03-09 16:31      233,528      -ra------      C:\WINDOWS\system32\HPZidr12.dll
2008-06-29 22:27 . 2003-03-09 16:31      167,936      -ra------      C:\WINDOWS\system32\HPZipr12.dll
2008-06-29 22:27 . 2003-03-09 16:31      94,208      -ra------      C:\WINDOWS\system32\HPZipt12.dll
2008-06-29 22:27 . 2003-03-09 16:31      65,795      -ra------      C:\WINDOWS\system32\HPZipm12.exe
2008-06-29 22:27 . 2003-03-09 16:31      61,699      -ra------      C:\WINDOWS\system32\HPZinw12.exe
2008-06-29 22:27 . 2003-03-09 16:31      57,344      -ra------      C:\WINDOWS\system32\HPZisn12.dll
2008-06-29 22:27 . 2003-03-09 16:31      51,024      -ra------      C:\WINDOWS\system32\drivers\hpzid412.sys
2008-06-29 22:27 . 2003-03-09 16:31      16,080      -ra------      C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-06-29 22:26 . 2003-03-09 16:31      21,456      -ra------      C:\WINDOWS\system32\drivers\HPZius12.sys
2008-06-29 22:25 . 2003-03-09 16:31      561,152      -ra------      C:\WINDOWS\system32\hpotscl.dll
2008-06-29 22:25 . 2003-03-09 16:30      237,568      -ra------      C:\WINDOWS\system32\HPZc3212.dll
2008-06-29 22:25 . 2003-03-09 16:31      81,920      -ra------      C:\WINDOWS\system32\hpovst08.dll
2008-06-29 22:25 . 2004-08-03 22:58      15,104      --a------      C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-29 22:25 . 2004-08-03 22:58      15,104      --a------      C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-29 22:21 . 2008-06-29 22:29      20,454      --a------      C:\WINDOWS\hpoins01.dat
2008-06-29 22:21 . 2003-04-05 23:24      16,618      ---------      C:\WINDOWS\hpomdl01.dat
2008-06-29 22:15 . 2008-06-29 22:15      <DIR>      d--------      C:\WINDOWS\system32\NtmsData
2008-06-29 22:11 . 2008-06-29 22:11      <DIR>      d--------      C:\Documents and Settings\jritcey\Application Data\Hewlett-Packard
2008-06-29 21:58 . 2008-06-29 21:58      <DIR>      d--------      C:\Program Files\Common Files\Hewlett-Packard
2008-06-29 21:56 . 2008-06-29 22:29      <DIR>      d--------      C:\Program Files\Hewlett-Packard
2008-06-29 09:44 . 2008-06-29 09:44      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-28 22:30 . 2008-07-11 20:32      <DIR>      d--------      C:\jim jr
2008-06-27 08:46 . 2008-07-06 09:40      156      --a------      C:\WINDOWS\delself.bat
2008-06-23 14:28 . 2008-06-23 14:28      1,039,521      --a------      C:\WINDOWS\system32\Ikebana.scr
2008-06-23 14:27 . 2008-06-23 14:27      3,821,357      --a------      C:\WINDOWS\system32\Alegria.scr
2008-06-23 01:07 . 2008-06-23 01:07      <DIR>      d--------      C:\Program Files\Plus!
2008-06-23 01:07 . 2008-06-23 01:07      1,067,647      --a------      C:\WINDOWS\system32\Tsukubai.scr
2008-06-22 23:10 . 2008-06-22 23:10      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-06-22 22:23 . 2003-06-25 16:05      266,360      --a------      C:\WINDOWS\system32\TweakUI.exe
2008-06-22 22:23 . 2002-06-21 15:09      160,217      --a------      C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-22 22:23 . 2008-06-22 22:23      150,192      --a------      C:\TweakUiPowertoySetup.exe
2008-06-22 21:43 . 2008-06-22 21:43      4,752      --a------      C:\WINDOWS\system32\tmp.reg
2008-06-22 21:42 . 2008-06-22 21:45      <DIR>      d--------      C:\SmitfraudFix
2008-06-22 21:32 . 2008-01-12 03:12      1,308,216      --a------      C:\HiJackThis_v2.exe
2008-06-22 21:32 . 2008-01-12 21:19      1,129,580      --a------      C:\SmitfraudFix.exe
2008-06-22 20:50 . 2008-06-22 20:50      <DIR>      d--hs----      C:\found.000
2008-06-20 13:41 . 2008-06-20 13:41      245,248      ---------      C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 09:31 . 2008-06-21 23:16      <DIR>      d-a------      C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 09:25 . 2008-06-20 09:25      <DIR>      d--------      C:\Program Files\bfgclient
2008-06-20 09:24 . 2008-06-20 09:30      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-06-20 06:44 . 2008-06-20 06:44      138,368      ---------      C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 20:19 . 2008-07-11 17:27      488      --a------      C:\hpfr5550.xml
2008-06-19 20:05 . 2004-08-03 23:01      25,856      --a------      C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-19 20:05 . 2004-08-03 23:01      25,856      --a------      C:\WINDOWS\system32\dllcache\usbprint.sys
2008-06-13 12:30 . 2008-06-13 12:30      524,288      --a------      C:\WINDOWS\opuc.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 01:01      ---------      d-----w      C:\Program Files\Symantec AntiVirus
2008-07-11 19:35      ---------      d-----w      C:\Documents and Settings\jritcey\Application Data\ICAClient
2008-07-11 16:32      ---------      d-----w      C:\Program Files\Thumbs7
2008-07-09 21:58      ---------      d-----w      C:\Program Files\Trillian
2008-07-08 04:26      ---------      d-----w      C:\Documents and Settings\jritcey\Application Data\U3
2008-07-01 03:32      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-23 04:04      ---------      d-----w      C:\Program Files\Windows Desktop Search
2008-06-20 17:41      245,248      ----a-w      C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:25      0      ----a-w      C:\Program Files\temp01
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44      138,368      ----a-w      C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 22:42      ---------      d-----w      C:\Program Files\SiteXpert
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 15:26      48,020      ----a-w      C:\termlicensekey.reg
2008-06-10 14:31      ---------      d-----w      C:\Program Files\Citrix
2008-06-10 03:04      ---------      d-----w      C:\Program Files\MSXML 6.0
2008-06-09 16:10      ---------      d-----w      C:\Documents and Settings\jritcey\Application Data\AdobeUM
2008-06-08 23:23      ---------      d-----w      C:\Program Files\IrfanView
2008-06-08 20:39      ---------      d-----w      C:\Program Files\MSECache
2008-06-08 20:38      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-08 20:25      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2008-06-08 20:16      ---------      d-----w      C:\Program Files\Common Files\Adobe
2008-06-08 19:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-08 17:08      ---------      d-----w      C:\Program Files\MSBuild
2008-06-08 17:05      ---------      d-----w      C:\Program Files\Reference Assemblies
2008-06-08 16:03      ---------      d-----w      C:\Program Files\Nova Development
2008-06-08 16:03      ---------      d-----w      C:\Program Files\Common Files\Nova Development
2008-06-08 02:07      ---------      d-----w      C:\Program Files\HyperSnap-DX 4
2008-06-08 02:07      ---------      d-----r      C:\Program Files\AnfyTeam
2008-06-08 02:04      ---------      d-----w      C:\Program Files\Widget
2008-06-08 02:04      ---------      d-----w      C:\Program Files\WebEx
2008-06-08 02:04      ---------      d-----w      C:\Program Files\SmartDraw Viewer
2008-06-07 23:33      ---------      d-----w      C:\Program Files\Background Magic
2008-05-08 12:28      202,752      ----a-w      C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18      1,287,680      ----a-w      C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18      1,287,680      ------w      C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-07 00:47      69,632      ----a-w      C:\WINDOWS\Shutterfly Studio Screen Saver.scr
2008-04-24 02:16      3,591,680      ----a-w      C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40      625,664      ------w      C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39      70,656      ------w      C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39      13,824      ------w      C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07      161,792      ------w      C:\WINDOWS\system32\dllcache\ieakui.dll
.

------- Sigcheck -------

2004-08-04 06:00  16896  4e06f50f95357b8cfbc81f5699e754b7      C:\WINDOWS\system32\svchost.exe

2004-08-04 06:00  505856  e853481fef64a5be3fc3732d9d3d926a      C:\WINDOWS\system32\winlogon.exe

2007-06-13 06:23  1035264  90bdefa8740e66dee42c12eb1c30c789      C:\WINDOWS\explorer.exe
2007-06-13 07:26  1033216  7712df0cdde3a5ac89843e61cd5b3658      C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 06:00  1032192  a0732187050030ae399b241436565e64      C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

2004-08-04 06:00  110080  5812a3513734517f8c2c5eab6b269864      C:\WINDOWS\system32\services.exe

2004-08-04 06:00  14336  c3e6b717e7b284e1fa89ba9f7a1be1ed      C:\WINDOWS\system32\lsass.exe

2005-06-10 20:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788      C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:53  58368  44fce06d98349f92a39a9a242b88650f      C:\WINDOWS\system32\spoolsv.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 22:36 1207080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-31 16:50 8429568]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 10:00 1116920]
"ReminderApp"="C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 01:03 185664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-02 22:38 98304]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-31 16:50 81920]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 16:30 188416]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 04:10 1392640]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 22:49 159744]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 00:26 303104 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2007-05-31 16:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-31 16:50 67584 C:\WINDOWS\system32\nvhotkey.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-06-08 16:07:21 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-08-06 08:51:04 1528880]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-07-25 03:49:01 50688]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2008-06-10 10:34:19 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 15:21]
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 13:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4062ae67-37c2-11dd-980c-001c23838df1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 02:30:16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1214792967.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SMshcjo3j0ej79 - C:\Program Files\shcjo3j0ej79\shcjo3j0ej79.exe
SSODL-AlATdKGy-{D069857C-7AC3-2FD6-5C42-77B8B1CAC590} - C:\WINDOWS\system32\poz.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 21:03:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-11 21:04:48
ComboFix-quarantined-files.txt  2008-07-12 01:04:37

Pre-Run: 63,593,558,016 bytes free
Post-Run: 63,615,287,296 bytes free

215      --- E O F ---      2008-07-11 02:08:00

Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

21:17:18 2008-07-11
mbam-log-7-11-2008 (21-17-18).txt

Scan type: Quick Scan
Objects scanned: 45043
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\jritcey\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:08 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sp.local
O17 - HKLM\Software\..\Telephony: DomainName = sp.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sp.local
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\jritcey\My Documents\Executables\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7804 bytes

Any suggestions to get those two programs running again? Microsoft's Outlook did recognize the problem once and asked if I wanted to let it run diagnostics on itself, which I did, but still didn't fix it.
thanks.
Jim.

 

by: rpggamergirlPosted on 2008-07-14 at 03:36:35ID: 21996904


Outlook or Outlook Express? Have you tried running sfc /scannow (if you have the windows CD) to check for corrupted files.

Also try the steps mentioned here for IE7 crash:
http://enhanceie.com/ie/troubleshoot.asp
If IE crashes, the most likely problem is that there's a buggy add-on (Toolbar or Browser Helper Object).  In order to verify and isolate the buggy add-on, follow these steps:

1.  Start IE in No Add-ons mode, either by right-clicking the Desktop icon,
or clicking START | RUN and typing: iexplore.exe -extoff

2.  Determine if IE fails.
3.  If not, use Tools | Manage Add-ons to disable all browser extensions and toolbars.
4.  Restart IE and reenable browser extensions one-by-one.
5.  Once you've found a broken extension, contact the manufacturer and ask for an update.

 

by: yellow1053Posted on 2008-07-17 at 15:12:16ID: 22030925

Ok, well, we don't have an sp2 cd, as it was upgraded to sp2 online. and IE won't run in -extoff mode, it just hangs and errors out (not responding) and it is outlook proper. very frustrating, I'm on that computer right now, so IE is running ok for the moment, but it won't last. but outlook everytime I open it, it just forever says (trying to connect) in the bottom right corner, and then hangs there. never making a connection. it is outlook 2007 according to the help about screen.
thanks.

 

by: yellow1053Posted on 2008-07-17 at 15:15:45ID: 22030941

o, I forgot, we did get this error once.
error signature: szAppName: OUTLOOK.EXE  szAppVer: 12.0.6212.1000 szModName: hungapp
szModVer: 0.0.0.0  offset: 00000000

 

by: rpggamergirlPosted on 2008-07-21 at 05:34:55ID: 22049831

I don't know about the Outlook problem sorry, I'll see if we can get outlook experts to come and take a look at this thread.

 

by: meintsiPosted on 2008-07-22 at 06:49:45ID: 22059301

I haven't read any  of the repair advice listed above (yet), but before you get buried to deep in this repair, did you try to use the Office Diagnostics included with 2007?  Or even to insert the CD and "repair office".
A new installation of IE "over the top" may also clear up those issues.

 

by: yellow1053Posted on 2008-07-22 at 20:41:54ID: 22065803

Hi Meintsi,
   I did try the office diagnostics which ran completely and didn't find any problems. this program was preloaded on this laptop, so we don't have an original cd to reload from. (also don't have the XP SP2 cd to try the sfc command either, as sp2 was downloaded) thanks.

 

by: torimarPosted on 2008-07-23 at 01:07:01ID: 22066933

In order to get the sfc command to work again, you could create a slipstreamed XP SP2 install CD, using:

- your original install CD
- the SP2 update pack: https://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&DisplayLang=en
- the program 'nliteos' for creating slipstreamed CDs: http://www.nliteos.com/guide

 

by: yellow1053Posted on 2008-07-25 at 16:57:42ID: 31475530

Thanks all!!!

 

by: rpggamergirlPosted on 2008-07-25 at 23:04:01ID: 22093914

yellow1053,
Sorry that the other issues weren't solved in this thread.
I hope you'll get a solution for that soon.


Vee_mod,
You're absolutely right, Hijackthis should be run in normal mode unless safe mode is the only mode the pc boots into.
The entries showing in the first Hijackthis log eventhough in safe mode was enough to call for SDFix and followed with Combofix.
And everything shows in combofix log even the disabled startup entries which Hijackthis doesn't scan, which means a CF log shows more than a Hijackthis log ran in normal mode.
You're very observant, very thorough and wise, :)
EE is blessed to have Mods who actively patrols the zones and making sure everything's okay.

Thank you all.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...