27 replies to this topic

[jimnbarb]

Hello,

This infection just won't go away.
Panda and HiJack this logs to follow.

As per the instructions here is my MB Log:

Malwarebytes' Anti-Malware 1.10
Database version: 597

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 155728
Time elapsed: 44 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.

[jimnbarb]

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:51 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BOINC\boincmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.tdameritrade.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.w...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32

\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--
End of file - 7453 bytes

[JeanInMontana]

Hi jimnbarb and welcome to Malwarebytes. Please be sure you have your email settings inn your * My Controls* panel to notify you of replies.

Always post the HJT log after any removal scans. I am going to delete this one now and please repost an new one after the Panda scan

You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/...loads/index.jsp and install the correct version for your system. Choose the offline installation.


This is a rogue program C:\Program Files\WinReanimator\WinReanimator.exe <=========== Uninstall it please and upload the file to here http://uploads.malwarebytes.org/ IF

Your running bit torrent software, very risky behavior, and a good chance this is part of your problems.

Edited by JeanInMontana, 07 April 2008 - 04:28 PM.
add information & instructions

[jimnbarb]

Here's my Panda scan.
Any help you could give me on this would be appreciated. It is driving me insane.


;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-04-07 10:39:02
PROTECTIONS: 0
MALWARE: 84
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tradedoubler[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Mozilla\Firefox\Profiles\ky6uec8k.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@247realmedia[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@247realmedia[1].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bfast[2].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@bfast[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@fastclick[2].txt
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@servedby.advertising[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@tribalfusion[2].txt
00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-eu.falkag[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@mediaplex[2].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@linksynergy[2].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@anm.co[1].txt
00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@entrepreneur[2].txt
00149002 Cookie/Peel TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@peel[2].txt
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@maxserving[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@belnk[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@belnk[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.belnk.com/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@revenue[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@revenue[2].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@findwhat[1].txt
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@dist.belnk[2].txt
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@dist.belnk[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.myaffiliateprogram[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@yadro[2].txt
00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@webpower[2].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xiti[1].txt
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@hotlog[1].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@z1.adserver[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@azjmp[2].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statcounter[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@counter.hitslink[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@perf.overture[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@burstnet[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@www.burstbeacon[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www.burstbeacon[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@www.burstbeacon[2].txt
00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as-us.falkag[1].txt
00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@as1.falkag[2].txt
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@weborama[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adtech[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@server.iad.liveperson[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@server.iad.liveperson[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@stat.onestat[1].txt
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@fl01.ct2.comclick[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.advertising.com/]
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.pointroll[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@realmedia[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Application Data\Mozilla\Firefox\Profiles\y0dvu4wz.default\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@bluestreak[2].txt
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@xxxcounter[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@adrevolver[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@bravenet[1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adultfriendfinder[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@go[1].txt
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@valueclick[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@searchportal.information[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@searchportal.information[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@searchportal.information[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@target[1].txt
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ct.360i[1].txt
00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www2.addfreestats[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@atwola[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@atwola[1].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@www6.addfreestats[1].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ehg-dig.hitbox[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@ads.addynamix[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Local Settings\Temp\Cookies\jantonio@ads.addynamix[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\jim\Cookies\jim@ads.addynamix[1].txt
00515709 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[VaaaaaaaBaa.class]
00515710 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Baaaaa.class]
00515711 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[BaaaaBaa.class]
00516819 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dex.class]
00516820 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dvnny.class]
00516821 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dux.class]
00516823 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-693bf300.zip[Dix.class]
01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe
01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi[unk_0029]
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@adserver.easyad[1].txt
02763634 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[VaannnaaBaa.class]
02763635 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[Bnnnnn.class]
02763636 Trj/ClassLoader.AH Virus/Trojan No 0 Yes No C:\Documents and Settings\jantonio\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-770aee49.zip[BnnnnBaa.class]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@advancedcleaner[2].txt
02908018 Cookie/WinReanimator TrackingCookie No 0 Yes No C:\Documents and Settings\jantonio\Cookies\jantonio@winreanimator[2].txt
02908359 Trj/Cimuz.KK Virus/Trojan No 1 Yes No C:\WINDOWS\system32\msindc.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location 
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description 
;===============================================================================
================================================================================
=
===================
108742 MEDIUM MS06-006 
;===============================================================================
================================================================================
=
===================

[jimnbarb]

OK,
Hopefully this one is better.
As far as BitTorrent goes, I uninstalled that prgram months ago. There isn't a folder in my programs called that.
WinReanimator is very recent and IMHO, the source of my agony. I don't recall ever installing that, though I did uninstall it last week when I discovered it.
It doesn't exist in the file structure as far as I can tell.
These guys:
HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

must be coming from my registry right? Should I go in and delete those entries?
In any case here is my new HJT log. Thanks for the quick reply.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:43 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BOINC\boincmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\sol.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\DEVENV.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.tdameritrade.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.w...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--
End of file - 8260 bytes

[JeanInMontana]

Hi again. You have more than one source of misery. Most likely bundled with the Winreanimator but we can't be sure.

Run HJT again in scan only and put a check next to these lines.

O2 - BHO: (no name) - {03B0CB02-BD15-4842-9E79-05D701FB6EE7} - (no file)

O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide

O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O20 - AppInit_DLLs: cru629.dat

Now please get this tool:

1. Download this file :
http://download.blee...Bs/ComboFix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.
Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall.

[jimnbarb]

I had a question.
You said to run Hijack this and put check marks next to certain items.
Do I do anything after that point, like run "Fix Check" or something? or do I just produce another log?

[JeanInMontana]

Ooops yes click fix after you check mark those lines. Sorry

[jimnbarb]

Here is my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:41 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BOINC\boincmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.tdameritrade.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.w...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--
End of file - 7799 bytes

[jimnbarb]

OK, Combo Fix ran w/o any apparent errors. What next? This is getting kind of fun!

Here is the resulting log from the ComboFix exe:

ComboFix 08-04-07.5 - jantonio 2008-04-08 9:41:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.463 [GMT -7:00]
Running from: C:\temp\ComboFix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com
C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\played_list.sol
C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\#SharedObjects\H4HBVHF7\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\jantonio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\temp\Temporary Internet Files\aserybyz._dl
C:\temp\Temporary Internet Files\puqazuhek.bin
C:\WINDOWS\system32\duis.txt
C:\WINDOWS\system32\msindc.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 09:39 . 2008-04-08 09:39 <DIR> d-------- C:\temp\ComboFix
2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java
2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM20
2008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy
2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo
2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool
2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 01:25 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes
2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif
2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg
2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg
2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com
2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys
2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime
2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype
2008-03-10 14:56 . 2008-04-08 09:34 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype
2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-08 05:06 . 2008-03-08 05:06 <DIR> d-------- C:\WINDOWS\SQLTools9_KB932557_ENU
2008-03-08 05:05 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 16:49 --------- d-----w C:\Program Files\BOINC
2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix
2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr
2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com
2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib
2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib
2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll
2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll
2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr
2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.6
2008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live
2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 09:49:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????>????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yeyqase]
"ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-08 9:54:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-08 16:54:14
Pre-Run: 47,158,390,784 bytes free
Post-Run: 47,158,026,240 bytes free
.
2008-03-22 19:05:17 --- E O F ---

[JeanInMontana]

Several things were removed. Let's get a new scan with MBAM too be sure to update. HJT log please and how is the system running now?

[jimnbarb]

Drat, those same 2 files are back again.
Here is the latest MB log, HJT log to follow.

Malwarebytes' Anti-Malware 1.11
Database version: 600

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 144841
Time elapsed: 42 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\TEMP\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.

[jimnbarb]

Latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:02 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BOINC\boincmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.tdameritrade.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.w...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--
End of file - 8263 bytes

[JeanInMontana]

Those two things MBAM is showing are temp files. We will do a cleanup of those.

Please upload this file C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe to here . This will ensure it gets added to the data base for future removals.

Please upload the file C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe to here and post the results in your next reply. We will make sure it is malware this way.

Now let's sweep the mud out. Get the program here and scan with it remove what it finds.

Now please get this tool.

1. Download this file :
http://download.blee...Bs/ComboFix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.
Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall.

[jimnbarb]

OK, the file was uploaded to your site:

Isn't this file needed for my Visual Studio to continue functioning?

VirusTotal scan log follows:

File DEVENV.EXE received on 04.09.2008 17:43:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 9.
Estimated start time is between 66 and 94 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.9.0 2008.04.09 -
AntiVir 7.6.0.81 2008.04.09 -
Authentium 4.93.8 2008.04.09 -
Avast 4.8.1169.0 2008.04.09 -
AVG 7.5.0.516 2008.04.09 -
BitDefender 7.2 2008.04.09 -
CAT-QuickHeal 9.50 2008.04.08 -
ClamAV 0.92.1 2008.04.09 -
DrWeb 4.44.0.09170 2008.04.09 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5684 2008.04.09 -
Ewido 4.0 2008.04.09 -
F-Prot 4.4.2.54 2008.04.08 -
F-Secure 6.70.13260.0 2008.04.09 -
FileAdvisor 1 2008.04.09 -
Fortinet 3.14.0.0 2008.04.09 -
Ikarus T3.1.1.26 2008.04.09 -
Kaspersky 7.0.0.125 2008.04.09 -
McAfee 5269 2008.04.08 -
Microsoft 1.3408 2008.04.09 -
NOD32v2 3013 2008.04.09 -
Norman 5.80.02 2008.04.09 -
Panda 9.0.0.4 2008.04.08 -
Prevx1 V2 2008.04.09 -
Rising 20.39.12.00 2008.04.08 -
Sophos 4.28.0 2008.04.09 -
Sunbelt 3.0.1032.0 2008.04.08 -
Symantec 10 2008.04.09 -
TheHacker 6.2.92.269 2008.04.09 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.08 -
Webwasher-Gateway 6.6.2 2008.04.09 -
Additional information
File size: 264464 bytes
MD5...: fd98dc9ba3d3d5690699156d9eab310e
SHA1..: 1fe260ae0574e0c4dd9149f640d171e6b98afeea
SHA256: f210161162f1b5e744733fa53ea83961b59ce09282694384002b28a6f238cc8c
SHA512: e0b214365affee1eeeabd004e6b5f83cd3031c451af2b6f9a1ee0a61d26b1b7b
3800e095ad3c574f84f4710081b3784096a96612e6f4c1c6b69f345c6a3321c3
PEiD..: InstallShield 2000
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401172
timedatestamp.....: 0x3587655b (Wed Jun 17 06:42:35 1998)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2eba 0x3000 6.22 c0aea2c0b6bab8a932769f083eeebeeb
.data 0x4000 0x250 0x400 0.48 16add10d5629c6961abca98e1bdd858c
.rsrc 0x5000 0x3cc68 0x3ce00 4.79 a4c84968e659bf9232ed9a5ba70f440f

( 6 imports )
> KERNEL32.dll: FindResourceA, FreeResource, SizeofResource, LoadResource, lstrlenA, LoadLibraryA, CreateDirectoryA, GetStartupInfoA, GetModuleHandleA, lstrcpyA, lstrcmpA, lstrcatA, IsDBCSLeadByte, GetFileAttributesA, lstrcmpiA, GetProcAddress
> USER32.dll: EndPaint, BeginPaint, LoadBitmapA, DefWindowProcA, GetSystemMetrics, SystemParametersInfoA, CharNextA, wsprintfA, LoadStringA, DestroyWindow, MessageBoxA, UpdateWindow, CreateWindowExA, RegisterClassA, ReleaseDC, OffsetRect, InflateRect, DrawTextA, GetDC
> GDI32.dll: SelectObject, CreatePalette, SetTextColor, TextOutA, DeleteObject, DeleteDC, GetObjectA, SetBkMode, CreateFontIndirectA, GetTextExtentPoint32A, GetStockObject, Rectangle, SelectPalette, GetDeviceCaps, CreateDIBitmap, SetStretchBltMode, RealizePalette, CreateCompatibleDC, BitBlt
> ADVAPI32.dll: RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegOpenKeyExA, RegOpenKeyA, RegQueryValueA, RegCloseKey
> SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc
> MSVCRT.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, strchr, free, malloc, _controlfp

( 0 exports )

[JeanInMontana]

Yes it looks like it is legit. I had found some instances where the file was bad with the same name. Malware does this, names itself after known good files. Please continue with the rest of my instructions.

[jimnbarb]

Here is the combofix log:

ComboFix 08-04-08.10 - jantonio 2008-04-09 9:31:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -7:00]
Running from: C:\temp\ComboFix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 09:01 . 2008-04-09 09:01 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 08:59 . 2008-04-09 09:00 <DIR> d-------- C:\temp\CCleaner
2008-04-08 09:39 . 2008-04-09 09:11 <DIR> d-------- C:\temp\ComboFix
2008-04-07 11:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 11:13 . 2008-04-07 11:14 <DIR> d-------- C:\Program Files\Java
2008-04-07 11:03 . 2008-04-07 11:03 <DIR> d-------- C:\Program Files\SDM20
2008-04-06 20:38 . 2008-04-06 20:38 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 19:35 . 2008-04-06 19:38 <DIR> d-------- C:\temp\SPyBotSearchAndDestroy
2008-04-06 18:53 . 2008-04-06 18:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 18:05 . 2008-04-06 18:07 <DIR> d-------- C:\temp\fixVundo
2008-03-26 15:22 . 2008-03-26 15:36 <DIR> d-------- C:\Program Files\KBSearchAndReplaceTool
2008-03-24 14:12 . 2008-04-01 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-24 14:12 . 2008-03-24 14:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 01:25 . 2008-04-08 10:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Malwarebytes
2008-03-23 01:25 . 2008-03-23 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-23 01:12 . 2008-03-23 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 00:42 . 2008-04-06 19:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-23 00:42 . 2008-04-06 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 00:22 . 2008-03-23 00:22 17,135 --a------ C:\Documents and Settings\All Users\Application Data\mogytusuk.pif
2008-03-23 00:21 . 2008-03-23 00:21 17,983 --a------ C:\Documents and Settings\All Users\Application Data\lyjobavyl.reg
2008-03-23 00:21 . 2008-03-23 00:21 15,248 --a------ C:\Documents and Settings\jantonio\Application Data\awec.reg
2008-03-23 00:21 . 2008-03-23 00:21 12,347 --a------ C:\Documents and Settings\All Users\Application Data\ylytewe.com
2008-03-23 00:17 . 2004-08-10 00:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys
2008-03-22 18:58 . 2008-03-22 18:59 <DIR> d-------- C:\Program Files\QuickTime
2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\Skype
2008-03-10 14:56 . 2008-04-09 08:58 <DIR> d-------- C:\Documents and Settings\jantonio\Application Data\Skype
2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-10 12:28 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-10 12:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-10 12:19 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 15:32 --------- d-----w C:\Program Files\BOINC
2008-04-06 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 18:28 --------- d-----w C:\Program Files\Citrix
2008-03-23 07:21 19,133 ----a-w C:\WINDOWS\aqyfunumys.scr
2008-03-23 07:21 17,105 ----a-w C:\WINDOWS\aceri.com
2008-03-23 07:21 16,713 ----a-w C:\Program Files\Common Files\epytu.lib
2008-03-23 07:21 16,678 ----a-w C:\Program Files\Common Files\idyjyvakac.lib
2008-03-23 07:21 12,411 ----a-w C:\WINDOWS\ypypewoban.dll
2008-03-23 07:21 10,565 ----a-w C:\WINDOWS\system32\kirini.bat
2008-03-23 07:21 10,364 ----a-w C:\WINDOWS\udypuhini.dll
2008-03-23 07:21 10,166 ----a-w C:\WINDOWS\ofijibac.scr
2008-03-23 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-22 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-22 19:01 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-18 00:32 --------- d-----w C:\Program Files\NUnit 2.4.6
2008-03-08 12:05 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-01 19:04 --------- d-----w C:\Program Files\Windows Live
2008-03-01 19:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-05-18 20:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-08_ 9.54.01.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-07 15:02:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-08 23:00:09 64,518 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-07 15:02:10 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-08 23:00:09 408,676 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 13:50 729178]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 12:39 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 11:56 409600]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 15:26 233534]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23 1187840]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-13 17:59:40 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-11-13 14:44:44 4141056]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-05-17 11:30:32 1470480]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\jantonio\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\Program Files\\Automated QA\\TestComplete 6\\Bin\\TestComplete.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 TestComplete 6 Service;TestComplete 6 Service;"C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe" [2007-11-17 03:11]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 09:34:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????=????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\yeyqase]
"ImagePath"="\??\C:\WINDOWS\system32\ras\yeyqase.mis"
.
Completion time: 2008-04-09 9:36:18
ComboFix-quarantined-files.txt 2008-04-09 16:36:00
ComboFix2.txt 2008-04-08 16:54:18
Pre-Run: 48,742,395,904 bytes free
Post-Run: 48,735,064,064 bytes free
.
2008-03-22 19:05:17 --- E O F ---

[jimnbarb]

Here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:40 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.tdameritrade.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://open-techs.w...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://lock.open-techs.com/dana-cached/set...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCC34FCA-1B41-45A9-9FB1-6A7C24FA18CB}: NameServer = 10.1.2.72
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TestComplete 6 Service - AutomatedQA Corporation - C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe

--
End of file - 8222 bytes

[JeanInMontana]

Hi Jim. How are things running?

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background I should have had you remove that one too. sorry.

Nothing is showing in the HJT log. But I would like your feedback.

[jimnbarb]

Does that mean my machine is rid of its infection?

As far as my machine goes...My machine still seems very sluggish, especially when loading web pages.
I also am noticing that the little idiot light that goes off whenever the laptop is doing some "thinking" flashes on and off about once a second.
I'm pretty sure (though not 100%) that is wasn't doing that before.
Right when this whole thing started my provider (Comcast) blocked my default email port because apparently my machine was spewing email.
I can't help but think it might still be trying to do that (though I have no real evidence).
Since I do WebDev for a living, being able to refresh web pages quickly is key.

Right now its averaging about 1 min per page reload.
Any ideas?