1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Control Panel - Display - Desktop Tab

Discussion in 'Virus & Other Malware Removal' started by ken278, Jun 8, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. ken278

    ken278 Thread Starter

    Joined:
    Dec 28, 2006
    Messages:
    50
    The desktop tab in the display folder in control panel has disappeared. I was in a web site and
    all of a sudden my desktop (I had a picture of my dog as the background) changed from what I had to a pure bright blue and in the middle of the desktop there is a message box that reads
    -Warning spyware detected on your computer - Install and anti virus or spyware remover to clean your computer - I have Trend Micro anti virus and Webroot and Ad-Aware spyware removers already and I have run all of them after this happened which did not get my desktop tab back so that I could change the background. Trend Micro has discovered that I just got hit with 10 TroJ_Pakes.bfz viruses which they have quarantined.

    All my icons are still on the desktop.

    I am running on XP. How do I get my desktop tab in the display folder back so that I can change the background? Any and all help will be greatly appreciated.
    Thanks,
    Ken
     
  2. Blackmirror

    Blackmirror

    Joined:
    Dec 5, 2006
    Messages:
    32,642
    Lets have a look please

    If you have HJT already please uninstall before reinstalling new version
    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  3. ken278

    ken278 Thread Starter

    Joined:
    Dec 28, 2006
    Messages:
    50
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:07:44 AM, on 6/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\WINDOWS\system32\lphc7saj0e578.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.fidelity.com/frameless_pr_B.shtml
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\Run: [lphc7saj0e578] C:\WINDOWS\system32\lphc7saj0e578.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 8751 bytes
     
  4. Tufenuf

    Tufenuf

    Joined:
    Jul 28, 2007
    Messages:
    2,461
    ken278, Go to the link below and scroll down to Line 285 (right column) and click on "Restore All Display Tabs" to download a reg file and save the REG File to your hard disk. Double click it and answer yes to the import prompt.

    http://www.kellys-korner-xp.com/xp_tweaks.htm

    It should restore the Desktop tab and then wait till someone helps you with your HijackThis log.

    Tufenuf
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,279
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

    Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

    Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
     
  6. ken278

    ken278 Thread Starter

    Joined:
    Dec 28, 2006
    Messages:
    50
    I have downloaded ComboFix but have not run it as yet. I would like the autorun function to be reset when we are done. Having IE as default browser is alright. I have read the ComboFix info and do not see a problem. I will re run it after you get this and tell me to go ahead.

    We will have to go slow as I am uncertain about all this. I should mention also that my antivirus is still picking up viruses and I am deleting the files as they pick them up. There are numerous ones popping up.

    As far as Tufenuf's suggestion I downloaded the tab fix file but it comes as a notepad text file. As that what I should copy and save to my desktop as I text file. I am uncertain about this process.

    Please let me know to proceed.
    Thanks so much for your patience.
    Ken
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,279
    Hold off on running the regfix as the infection will just reset those values anyway. We will be taking care of that.

    We can reset the autoruns when we're finished and you can change your browser to another one as the default very easily if you wish.

    Please go ahead and run ComboFix and post that log.
     
  8. ken278

    ken278 Thread Starter

    Joined:
    Dec 28, 2006
    Messages:
    50
    The log below is what you said I should send. Also for your info the virus that keeps coming is:
    TROJ_PAKES.HK and TROJ_PAKES.BFK and they seem to come together every 20 minutes according to the TrendMicro log.
    Thanks again for all the time you are spending with me.
    Ken




    ComboFix 08-06-08.1 - HP_Administrator 2008-06-08 17:25:54.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1342 [GMT -5:00]
    Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
    C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
    C:\Documents and Settings\HP_Administrator\Application Data\inst.exe
    C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\AVMASZ63\www.broadcaster.com
    C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\AVMASZ63\www.broadcaster.com\played_list.sol
    C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\AVMASZ63\www.broadcaster.com\video_queue.sol
    C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
    .

    2008-06-08 00:52 . 2008-06-08 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-06-08 00:40 . 2008-06-08 00:40 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\shc1saj0e578
    2008-06-08 00:40 . 2008-06-08 08:30 90,838 --a------ C:\WINDOWS\system32\phc7saj0e578.bmp
    2008-06-08 00:39 . 2008-06-08 00:39 92,160 --a------ C:\WINDOWS\system32\lphc7saj0e578.exe
    2008-05-31 13:30 . 2008-05-31 13:30 <DIR> d-------- C:\WINDOWS\SHELLNEW
    2008-05-31 13:24 . 2008-05-31 13:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
    2008-05-25 09:54 . 2008-05-25 09:54 <DIR> d-------- C:\Program Files\Common Files\xing shared

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-08 14:07 --------- d-----w C:\Program Files\Trend Micro
    2008-06-06 21:27 --------- d-----w C:\Program Files\Quicken
    2008-06-05 07:36 319 ----a-w C:\drmHeader.bin
    2008-05-25 14:52 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-05-25 14:52 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-05-25 14:52 --------- d-----w C:\Program Files\Common Files\Real
    2008-05-02 21:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
    2008-05-02 21:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
    2008-05-02 21:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
    2008-04-24 15:28 --------- d-----w C:\Program Files\FastStone Image Viewer
    2008-04-22 15:23 --------- d-----w C:\Program Files\MYGR
    2008-04-21 18:32 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Intuit
    2008-04-18 18:05 --------- d-----w C:\Program Files\Lavasoft
    2008-04-18 18:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-18 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
    2008-04-18 16:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-04-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-12 22:05 164 ----a-w C:\install.dat
    2008-04-09 16:44 --------- d-----w C:\Program Files\Common Files\AnswerWorks 5.0
    2008-04-09 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll
    2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
    2007-10-26 01:21 47,360 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
    2007-09-29 18:43 2,487,927 ----a-w C:\Program Files\rgf6
    2007-09-29 18:39 38,075 ----a-w C:\Program Files\tui78
    2007-09-29 18:38 659,334 ----a-w C:\Program Files\htju
    2007-09-29 18:35 76,259 ----a-w C:\Program Files\ftfjtf
    2007-09-29 18:35 73,329 ----a-w C:\Program Files\gfcgjn
    2007-09-29 18:35 57,621 ----a-w C:\Program Files\gfjh
    2007-09-29 18:34 75,457 ----a-w C:\Program Files\kkkk
    2007-09-29 18:32 55,455 ----a-w C:\Program Files\index.php
    2007-05-15 22:34 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="RUNDLL32.exe" [2004-08-09 16:00 33280 C:\WINDOWS\system32\rundll32.exe]
    "Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [ ]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 09:52 185896]
    "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [ ]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
    "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]
    "lphc7saj0e578"="C:\WINDOWS\system32\lphc7saj0e578.exe" [2008-06-08 00:39 92160]
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-11-18 16:50:00 27136]
    PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-18 16:50:00 27136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-26 23:15:33 67128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoDispBackgroundPage"= 1 (0x1)
    "NoDispScrSavPage"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
    backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    --a------ 2005-08-02 19:19 77312 C:\WINDOWS\arpwrmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
    --a------ 2006-04-13 05:05 90112 c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-09-29 17:01 67584 C:\WINDOWS\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
    --------- 2004-08-09 16:00 33280 C:\WINDOWS\system32\rundll32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-02-16 23:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    --a------ 2006-02-15 18:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    --a------ 2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    --a------ 2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --------- 2004-08-09 16:00 33280 C:\WINDOWS\system32\rundll32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2006-05-09 10:50 1519616 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2005-07-22 18:14 237568 C:\WINDOWS\SMINST\RECGUARD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    --a------ 2004-12-13 22:23 663552 C:\Windows\Creator\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    --a------ 2006-06-13 15:05 16239616 C:\WINDOWS\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-05-25 09:52 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trend Micro AntiVirus 2007]
    C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    --a------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "tmproxy"=2 (0x2)
    "tavsvc"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\DISC\\DISCover.exe"=
    "C:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "C:\\Program Files\\DISC\\myFTP.exe"=
    "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Quicken\\qw.exe"=


    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-06-04 01:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-06-02 08:00:04 C:\WINDOWS\Tasks\wrSpySweeper_LB7BB792922F94A33A65519D9DC5CD54D.job"
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LB7BB792922F94A33A65519D9DC5CD54D
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
    - C:\
    "2008-06-07 09:00:04 C:\WINDOWS\Tasks\wrSpySweeper_LC1FA2C1F61194E23829D19FD2B89B5E3.job"
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LC1FA2C1F61194E23829D19FD2B89B5E3
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-08 17:30:20
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-06-08 17:31:41
    ComboFix-quarantined-files.txt 2008-06-08 22:31:28

    Pre-Run: 204,367,585,280 bytes free
    Post-Run: 205,956,317,184 bytes free

    185 --- E O F --- 2008-05-14 08:01:16
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,279
    Before we continue, do you recognize any of these files? They were all created on September 29, 2007.

    C:\Program Files\rgf6
    C:\Program Files\tui78
    C:\Program Files\htju
    C:\Program Files\ftfjtf
    C:\Program Files\gfcgjn
    C:\Program Files\gfjh
    C:\Program Files\kkkk
    C:\Program Files\index.php
     
  10. ken278

    ken278 Thread Starter

    Joined:
    Dec 28, 2006
    Messages:
    50
    I have no idea what those files are.
    Thanks for staying on with me to correct this. The virus keeps getting quarantined by Trend Micro but never removed.
    Ken
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,279
    I was 99.9% sure they were created by the malware but wanted to check with you first just in case.

    Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

    To disable SpySweeper:

    Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
    Over to the left click "shields" and uncheck all there.
    Uncheck "home page shield".
    Uncheck "automatically restore default without notification".


    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    File::
    C:\WINDOWS\system32\phc7saj0e578.bmp
    C:\WINDOWS\system32\lphc7saj0e578.exe
    C:\Program Files\rgf6
    C:\Program Files\tui78
    C:\Program Files\htju
    C:\Program Files\ftfjtf
    C:\Program Files\gfcgjn
    C:\Program Files\gfjh
    C:\Program Files\kkkk
    C:\Program Files\index.php
    
    Folder::
    C:\Documents and Settings\HP_Administrator\Application Data\shc1saj0e578
    
    DirLook::
    C:\Program Files\MYGR
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "lphc7saj0e578"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoDispBackgroundPage"=-
    "NoDispScrSavPage"=-
    
     
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  12. ken278

    ken278 Thread Starter

    Joined:
    Dec 28, 2006
    Messages:
    50
    Here they are.
    More thanks,
    Ken

    HiJackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:43:44 PM, on 6/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.fidelity.com/frameless_pr_B.shtml
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 7989 bytes



    ComboFix Log:

    ComboFix 08-06-08.1 - HP_Administrator 2008-06-09 15:17:55.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1158 [GMT -5:00]
    Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    C:\Program Files\ftfjtf
    C:\Program Files\gfcgjn
    C:\Program Files\gfjh
    C:\Program Files\htju
    C:\Program Files\index.php
    C:\Program Files\kkkk
    C:\Program Files\rgf6
    C:\Program Files\tui78
    C:\WINDOWS\system32\lphc7saj0e578.exe
    C:\WINDOWS\system32\phc7saj0e578.bmp
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\HP_Administrator\Application Data\AXPDefender
    C:\Documents and Settings\HP_Administrator\Application Data\shc1saj0e578
    C:\Program Files\ftfjtf
    C:\Program Files\gfcgjn
    C:\Program Files\gfjh
    C:\Program Files\htju
    C:\Program Files\index.php
    C:\Program Files\kkkk
    C:\Program Files\rgf6
    C:\Program Files\tui78
    C:\WINDOWS\system32\lphc7saj0e578.exe
    C:\WINDOWS\system32\phc7saj0e578.bmp

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_sysrest.sys


    ((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
    .

    2008-06-08 00:52 . 2008-06-08 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-05-31 13:30 . 2008-05-31 13:30 <DIR> d-------- C:\WINDOWS\SHELLNEW
    2008-05-31 13:24 . 2008-05-31 13:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
    2008-05-25 09:54 . 2008-05-25 09:54 <DIR> d-------- C:\Program Files\Common Files\xing shared

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-08 14:07 --------- d-----w C:\Program Files\Trend Micro
    2008-06-06 21:27 --------- d-----w C:\Program Files\Quicken
    2008-06-05 07:36 319 ----a-w C:\drmHeader.bin
    2008-05-25 14:52 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-05-25 14:52 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-05-25 14:52 --------- d-----w C:\Program Files\Common Files\Real
    2008-05-02 21:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
    2008-05-02 21:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
    2008-05-02 21:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
    2008-04-24 15:28 --------- d-----w C:\Program Files\FastStone Image Viewer
    2008-04-22 15:23 --------- d-----w C:\Program Files\MYGR
    2008-04-21 18:32 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Intuit
    2008-04-18 18:05 --------- d-----w C:\Program Files\Lavasoft
    2008-04-18 18:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-18 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
    2008-04-18 16:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-04-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-12 22:05 164 ----a-w C:\install.dat
    2008-04-09 16:44 --------- d-----w C:\Program Files\Common Files\AnswerWorks 5.0
    2008-04-09 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll
    2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
    2007-10-26 01:21 47,360 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
    2007-05-15 22:34 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of C:\Program Files\MYGR ----

    2007-12-01 02:20 0 --ah----- C:\Program Files\MYGR\fssort.ini
    2007-07-01 18:53 6580538 --ahs---- C:\Program Files\MYGR\Thumbs.db


    ((((((((((((((((((((((((((((( [email protected]_17.31.07.67 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-08 13:30:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-06-09 20:33:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="RUNDLL32.exe" [2004-08-09 16:00 33280 C:\WINDOWS\system32\rundll32.exe]
    "Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [ ]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 09:52 185896]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
    "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]
    "sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [ ]
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-11-18 16:50:00 27136]
    PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-11-18 16:50:00 27136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-26 23:15:33 67128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
    backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    --a------ 2005-08-02 19:19 77312 C:\WINDOWS\arpwrmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
    --a------ 2006-04-13 05:05 90112 c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-09-29 17:01 67584 C:\WINDOWS\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
    --------- 2004-08-09 16:00 33280 C:\WINDOWS\system32\rundll32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-02-16 23:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    --a------ 2006-02-15 18:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    --a------ 2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    --a------ 2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --------- 2004-08-09 16:00 33280 C:\WINDOWS\system32\rundll32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2006-05-09 10:50 1519616 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2005-07-22 18:14 237568 C:\WINDOWS\SMINST\RECGUARD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    --a------ 2004-12-13 22:23 663552 C:\Windows\Creator\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    --a------ 2006-06-13 15:05 16239616 C:\WINDOWS\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-05-25 09:52 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trend Micro AntiVirus 2007]
    C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    --a------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "tmproxy"=2 (0x2)
    "tavsvc"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\DISC\\DISCover.exe"=
    "C:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "C:\\Program Files\\DISC\\myFTP.exe"=
    "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Quicken\\qw.exe"=


    .
    Contents of the 'Scheduled Tasks' folder
    "2008-06-04 01:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-06-09 08:00:03 C:\WINDOWS\Tasks\wrSpySweeper_LB7BB792922F94A33A65519D9DC5CD54D.job"
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LB7BB792922F94A33A65519D9DC5CD54D
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
    - C:\
    "2008-06-07 09:00:04 C:\WINDOWS\Tasks\wrSpySweeper_LC1FA2C1F61194E23829D19FD2B89B5E3.job"
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LC1FA2C1F61194E23829D19FD2B89B5E3
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-09 15:34:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\ehome\ehrecvr.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-09 15:40:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-09 20:40:09
    ComboFix2.txt 2008-06-08 22:31:43

    Pre-Run: 204,696,834,048 bytes free
    Post-Run: 205,723,058,176 bytes free

    218 --- E O F --- 2008-05-14 08:01:16
     
  13. ken278

    ken278 Thread Starter

    Joined:
    Dec 28, 2006
    Messages:
    50
    Well the background is now back to normal without the dialogue box and the Display folder includes Screensaver and Desktop tabs again. I don't know if the virus is gone for sure. I assume that I can now re set my Webroot shields as soon as I can figure out again which ones to activate. Is that correct? Any other advice?

    Thank you so much for all the help. You were really great. Hopefully this takes care of the problem. Do I now mark it solved?

    Ken
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,279
    The infection had set some policies which is why those tabs were not displayed and we took care of that with the script we ran in ComboFix.

    But we're not finished yet as we need to check for leftovers. It would be best to leave SpySweeper disabled until we're finished.


    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.


    Please run Kaspersky online virus scan Kaspersky Online Scanner.

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: You have to use Internet Explorer to do the online scan.

    Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,279
    Also, do you recognize this folder and the file it contains that was created on December 1st, 2007?

    C:\Program Files\MYGR\fssort.ini
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/719522

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice