1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Nat and Win32.Small.dp found with SB S&D / HJT and SB S&D Log pasted.. Please Help!

Discussion in 'Virus & Other Malware Removal' started by JonnyJP, Jan 31, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. JonnyJP

    JonnyJP Thread Starter

    Joined:
    Oct 21, 2005
    Messages:
    31
    I ran some scans with Ad-Aware SE Personal, Spybot Search & Destroy, eTrust PestPatrol, and eTrust EZ Antivirus today on my boss' laptop and after automatically removing some infections, and manually removing others, both "Nat" and "Win32.Small.dp" continue to be found in Spybot after repeatedly being removed. No other programs seem to be finding anything at all either and Spybot doesn't look like it can remove them. They both have keys in the registry, located close together, named "host" and under data have the same exact IP address. I delete each key and they repeatedly appear again, same with changing their name or data. I don't have the laptop physically with me right now, but will be seeing it tomorrow to try any removal ideas. Any help would be very much appreciated. Thank you in advance. :D

    HJT and SB S&D:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:45:20 PM, on 1/31/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe
    C:\DOCUME~1\DR99E2~1.SAR\LOCALS~1\Temp\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\lxbscoms.exe
    C:\DOCUME~1\DR99E2~1.SAR\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    R3 - URLSearchHook: (no name) - {F50A1A57-8491-8A3D-C34C-8CBAA2454696} - C:\WINDOWS\system32\wytckd.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Fidelity Toolbar - {76886F39-D4D8-4f00-A354-3CC1C364F363} - C:\WINDOWS\Downloaded Program Files\FidelityToolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]
    O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [VTBookGauge] "C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe"
    O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\DR99E2~1.SAR\LOCALS~1\Temp\svchost.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} (Fidelity Toolbar) - http://personal.fidelity.com/products/toolbar/FidelityToolbar.cab
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing)
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

    -----------------------------------------------------------

    Nat: Settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-2722632995-2206220525-1419673115-1005\Software\Microsoft\Internet Explorer\Desktop\host
    Win32.Small.dp: Settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-2722632995-2206220525-1419673115-1005\Software\Microsoft\Internet Explorer\Security\host

    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2007-01-07 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2007-01-15 advcheck.dll (1.2.1.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2007-01-02 Tools.dll (2.0.1.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2007-01-26 Includes\Cookies.sbi (*)
    2006-12-08 Includes\Dialer.sbi (*)
    2007-01-26 Includes\DialerC.sbi (*)
    2006-11-24 Includes\Hijackers.sbi (*)
    2007-01-26 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2007-01-26 Includes\KeyloggersC.sbi (*)
    2007-01-12 Includes\Malware.sbi (*)
    2007-01-26 Includes\MalwareC.sbi (*)
    2007-01-19 Includes\PUPS.sbi (*)
    2007-01-26 Includes\PUPSC.sbi (*)
    2007-01-26 Includes\Revision.sbi (*)
    2006-12-08 Includes\Security.sbi (*)
    2007-01-26 Includes\SecurityC.sbi (*)
    2007-01-26 Includes\Spybots.sbi (*)
    2007-01-26 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-12-08 Includes\Trojans.sbi (*)
    2007-01-26 Includes\TrojansC.sbi (*)
     
  2. JonnyJP

    JonnyJP Thread Starter

    Joined:
    Oct 21, 2005
    Messages:
    31
    Any ideas?
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
    • Instead of Windows loading as normal, the Advanced Options Menu should appear
    • Select the first option, to run Windows in Safe Mode, then press Enter
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to the clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  4. JonnyJP

    JonnyJP Thread Starter

    Joined:
    Oct 21, 2005
    Messages:
    31
    Both seem to be completely gone now... Spybot finds nothing and the files no longer exist where they first were in the registry. Thanks alot cybertech :).
    How's everything looking?

    EDIT: It looks like I spoke too soon... A little bit after posting this reply I received the 45sec shutdown countdown from "NT/Authority System" with status code 204. My boss received a couple of these today also, before the above removal instructions, but with code 203. All scans are also not showing any infections. Any suggestions? Thank you again for your help so far cybertech.

    SDFix Report:

    SDFix: Version 1.63

    Thu 02/01/2007 - 16:15:10.62

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    COM+ Messages

    Path:
    "C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273

    COM+ Messages Deleted

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\DOCUME~1\DR99E2~1.SAR\LOCALS~1\Temp\svchost.exe - Deleted
    C:\WINDOWS\system32\autosys.exe - Deleted
    C:\WINDOWS\system32\cmd32.exe - Deleted
    C:\WINDOWS\system32\unsvchosts.lzma - Deleted
    C:\WINDOWS\system32\zlbw.dll - Deleted



    ADS Check:

    C:\WINDOWS\system32
    No streams found.

    Final Check:

    Remaining Services:
    ------------------


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
    "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Documents and Settings\\Dr. Sarmiento\\Local Settings\\Temp\\10.tmp"="C:\\Documents and Settings\\Dr. Sarmiento\\Local Settings\\Temp\\10.tmp:*:Enabled:enable"
    "C:\\WINDOWS\\system32\\game1.exe"="C:\\WINDOWS\\system32\\game1.exe:*:Enabled:enable"
    "C:\\WINDOWS\\system32\\game4.exe"="C:\\WINDOWS\\system32\\game4.exe:*:Enabled:enable"


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\WINDOWS\system32\W?nSxS\w?wexec.exe
    C:\WINDOWS\system32\??stem32\msdtc.exe~
    C:\hiberfil.sys

    Finished

    -----------------------------------------------------------------------

    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:34:06 PM, on 2/1/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Dr. Sarmiento\Desktop\HijackThis.exe
    C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\74eac9a4b069a45e3e4e8d162f3dd349\update\update.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    R3 - URLSearchHook: (no name) - {F50A1A57-8491-8A3D-C34C-8CBAA2454696} - C:\WINDOWS\system32\wytckd.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Fidelity Toolbar - {76886F39-D4D8-4f00-A354-3CC1C364F363} - C:\WINDOWS\Downloaded Program Files\FidelityToolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]
    O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [VTBookGauge] "C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} (Fidelity Toolbar) - http://personal.fidelity.com/products/toolbar/FidelityToolbar.cab
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  6. JonnyJP

    JonnyJP Thread Starter

    Joined:
    Oct 21, 2005
    Messages:
    31
    Combofix found some files and rebooted my computer / quarantined them, but the shutdown message is still coming up. I'm about to run it one more time to see if it can remove it the second time. If it removes it and the message is killed, I'll edit the post to let you know. If not let me know what's next.. Thanks again.

    Here are the logs:



    "Dr. Sarmiento" - 07-02-01 21:37:00 Service Pack 2

    ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Dr. Sarmiento\Desktop"



    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))





    C:\WINDOWS\Downloaded Program Files\Logs

    C:\Program Files\Common Files\{3BD9C~1

    C:\Program Files\Common Files\{3BD9C~2

    C:\Program Files\Common Files\{7BD9C~1

    C:\Program Files\Common Files\{7BD9C~2

    C:\Program Files\outlook

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    Folders Quarantined:

    C:\qoobox\purity\WINDOWS\system32\STEM32~1

    C:\qoobox\purity\WINDOWS\system32\WNSXS~1

    C:\qoobox\purity\WINDOWS\system32\STEM32~1\msdtc.exe~

    C:\qoobox\purity\WINDOWS\system32\STEM32~1\??stem32

    C:\qoobox\purity\WINDOWS\system32\WNSXS~1\w?wexec.exe





    ((((((((((((((((((((((((((((((( Files Created from 2007-01-01 to 2007-02-01 ))))))))))))))))))))))))))))))))))





    2007-02-01 17:38 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

    2007-02-01 16:32 <DIR> d-------- C:\WINDOWS\system32\PreInstall

    2007-02-01 16:24 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution

    2007-02-01 16:11 <DIR> d-------- C:\SDFix

    2007-01-31 08:35 60,416 --a------ C:\WINDOWS\system32\wytckd.dll

    2007-01-31 08:35 2 --a------ C:\WINDOWS\system32\wnsintcc.exe

    2007-01-28 16:48 <DIR> d-------- C:\Program Files\Lavasoft

    2007-01-28 16:48 <DIR> d-------- C:\DOCUME~1\DR99E2~1.SAR\Application Data\Lavasoft

    2007-01-27 14:22 0 -rahs---- C:\MSDOS.SYS

    2007-01-27 14:22 0 -rahs---- C:\IO.SYS

    2007-01-13 16:03 <DIR> d-------- C:\DOCUME~1\DR99E2~1.SAR\Application Data\CyberLink

    2007-01-13 15:14 <DIR> d-------- C:\Program Files\YRefresher

    2007-01-12 17:07 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

    2007-01-11 14:58 <DIR> d-------- C:\WINDOWS\Sun

    2007-01-11 14:58 <DIR> d-------- C:\DOCUME~1\DR99E2~1.SAR\Application Data\Sun

    2007-01-08 15:34 <DIR> d-------- C:\DOCUME~1\DR99E2~1.SAR\Application Data\Google

    2007-01-08 15:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google

    2007-01-08 13:18 <DIR> d---s---- C:\DOCUME~1\DR99E2~1.SAR\UserData

    2007-01-07 19:35 <DIR> d--hs---- C:\RECYCLER

    2007-01-07 19:17 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\Temporary Internet Files

    2007-01-07 19:17 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\History

    2007-01-07 19:16 <DIR> d-------- C:\WINDOWS\Prefetch

    2007-01-07 19:03 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll

    2007-01-07 19:03 5,632 --a------ C:\WINDOWS\system32\kbdusa.dll

    2007-01-07 19:03 185,344 --a------ C:\WINDOWS\system32\Thawbrkr.dll

    2007-01-07 19:03 10,752 --a------ C:\WINDOWS\system32\c_iscii.dll

    2007-01-07 17:43 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

    2007-01-07 17:43 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

    2007-01-07 17:43 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

    2007-01-07 17:38 <DIR> d-------- C:\Program Files\SpywareGuard

    2007-01-07 17:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy

    2007-01-07 17:31 <DIR> d-------- C:\Program Files\SpywareBlaster

    2007-01-07 17:11 <DIR> d-------- C:\Program Files\Village Tronic VTBook DH

    2007-01-07 16:58 68,224 --a------ C:\WINDOWS\system32\drivers\P-PCI.SYS

    2007-01-07 16:19 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

    2007-01-07 16:18 <DIR> d-------- C:\WINDOWS\SHELLNEW

    2007-01-07 16:17 <DIR> d-------- C:\Program Files\Microsoft.NET

    2007-01-07 15:55 <DIR> d-------- C:\WINDOWS\CAVTemp

    2007-01-07 15:55 <DIR> d-------- C:\Program Files\Common Files\Scanner

    2007-01-07 15:51 <DIR> d-------- C:\Program Files\Lexmark

    2007-01-07 15:50 <DIR> d-------- C:\DOCUME~1\DR99E2~1.SAR\Application Data\HP

    2007-01-07 15:49 <DIR> d-------- C:\Program Files\Lx_cats

    2007-01-07 15:48 983,107 --a------ C:\WINDOWS\system32\lxbsgf.dll

    2007-01-07 15:48 90,112 --a------ C:\WINDOWS\system32\lxbscur.dll

    2007-01-07 15:48 69,632 --a------ C:\WINDOWS\system32\lxbscu.dll

    2007-01-07 15:48 536,576 --a------ C:\WINDOWS\system32\lxbsjswr.dll

    2007-01-07 15:48 520,192 --a------ C:\WINDOWS\system32\lxbscomc.dll

    2007-01-07 15:48 495,616 --a------ C:\WINDOWS\system32\lxbshbn1.dll

    2007-01-07 15:48 471,040 --a------ C:\WINDOWS\system32\lxbspmui.dll

    2007-01-07 15:48 450,560 --a------ C:\WINDOWS\system32\lxbslmpm.dll

    2007-01-07 15:48 421,888 --a------ C:\WINDOWS\system32\lxbscoms.exe

    2007-01-07 15:48 40,960 --a------ C:\WINDOWS\system32\lxbsvs.dll

    2007-01-07 15:48 385,024 --a------ C:\WINDOWS\system32\lxbscomm.dll

    2007-01-07 15:48 376,832 --a------ C:\WINDOWS\system32\lxbsutil.dll

    2007-01-07 15:48 344,064 --a------ C:\WINDOWS\system32\lxbscfg.exe

    2007-01-07 15:48 294,912 --a------ C:\WINDOWS\system32\lxbsih.exe

    2007-01-07 15:48 126,976 --a------ C:\WINDOWS\system32\lxbsprox.dll

    2007-01-07 15:48 114,688 --a------ C:\WINDOWS\system32\lxbspplc.dll

    2007-01-07 15:48 1,048,576 --a------ C:\WINDOWS\system32\lxbsserv.dll

    2007-01-07 15:48 1,040,384 --a------ C:\WINDOWS\system32\lxbsusb1.dll

    2007-01-07 15:48 <DIR> d-------- C:\Program Files\Lexmark 810 Series

    2007-01-07 15:44 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys

    2007-01-07 15:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA

    2007-01-07 15:43 95,760 --a------ C:\WINDOWS\system32\ISafeIf.dll

    2007-01-07 15:43 75,280 --a------ C:\WINDOWS\system32\VetRedir.dll

    2007-01-07 15:43 75,280 --a------ C:\WINDOWS\system32\iSafProd.dll

    2007-01-07 15:43 629,264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys

    2007-01-07 15:43 244,240 --a------ C:\WINDOWS\unicows.dll

    2007-01-07 15:43 21,043 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys

    2007-01-07 15:43 16,227 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys

    2007-01-07 15:43 15,490 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys

    2007-01-07 15:43 112,144 --a------ C:\WINDOWS\AVShlExt.dll

    2007-01-07 15:43 108,592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys

    2007-01-07 15:43 103,952 --a------ C:\WINDOWS\UnVet32.exe

    2007-01-07 15:43 <DIR> d-------- C:\Program Files\CA

    2007-01-07 15:38 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

    2007-01-07 15:31 <DIR> d-------- C:\WINDOWS\pss

    2007-01-07 15:30 <DIR> d-------- C:\DOCUME~1\DR99E2~1.SAR\Bluetooth Software

    2007-01-07 15:26 <DIR> d-------- C:\WINDOWS\system32\appmgmt

    2007-01-07 15:10 <DIR> d-------- C:\Program Files\WIDCOMM

    2007-01-07 15:06 <DIR> d--h----- C:\DOCUME~1\DR99E2~1.SAR\Temporary Internet Files

    2007-01-07 15:06 <DIR> d--h----- C:\DOCUME~1\DR99E2~1.SAR\History

    2007-01-07 15:06 <DIR> d-------- C:\DOCUME~1\DR99E2~1.SAR\Application Data\Intuit

    2007-01-07 15:05 <DIR> d---s---- C:\DOCUME~1\DEFAUL~1\Temporary Internet Files

    2007-01-07 15:05 <DIR> d---s---- C:\DOCUME~1\DEFAUL~1\History

    2007-01-07 15:05 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Intuit





    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



    Rootkit driver huy32 is present. A rootkit scan is required



    2007-01-31 16:59 -------- d---s---- C:\Documents and Settings\Dr. Sarmiento\Application Data\microsoft

    2007-01-28 16:48 -------- d-------- C:\Documents and Settings\Dr. Sarmiento\Application Data\lavasoft

    2007-01-13 16:03 -------- d-------- C:\Documents and Settings\Dr. Sarmiento\Application Data\cyberlink

    2007-01-12 17:32 -------- d-------- C:\Documents and Settings\Dr. Sarmiento\Application Data\hp

    2007-01-11 14:58 -------- d-------- C:\Documents and Settings\Dr. Sarmiento\Application Data\sun

    2007-01-08 15:34 -------- d-------- C:\Documents and Settings\Dr. Sarmiento\Application Data\google

    2007-01-08 15:33 -------- d-------- C:\Program Files\google

    2007-01-07 22:07 -------- d-------- C:\Program Files\hpq

    2007-01-07 16:13 -------- d-------- C:\Program Files\rgb

    2007-01-07 16:10 -------- d-------- C:\Program Files\microsoft money 2006

    2007-01-07 15:54 -------- d-------- C:\Documents and Settings\Dr. Sarmiento\Application Data\macromedia

    2007-01-07 15:35 -------- d-------- C:\Program Files\symantec

    2007-01-07 15:35 -------- d-------- C:\Program Files\hp

    2007-01-07 15:35 -------- d-------- C:\Program Files\Common Files\symantec shared

    2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll





    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))



    *Note* empty entries & legit default entries are not shown



    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

    "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"

    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

    "hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"

    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

    "nwiz"="nwiz.exe /installquiet /nodetect"

    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"

    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

    "QPService"="\"C:\\Program Files\\HP\\QuickPlay\\QPService.exe\""

    "HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"

    "Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"

    "CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""

    "CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""

    "CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""

    "LXBSCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBStime.dll,[email protected]"

    "MemoryCardManager"="C:\\Program Files\\Lexmark\\Lexmark Precision Photo\\MemCard.exe -startup"

    "eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""

    "VTBookGauge"="\"C:\\Program Files\\Village Tronic VTBook DH\\Driver\\VTBookGauge.exe\""

    "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\

    65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00



    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]



    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

    "Installed"="1"



    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

    "Installed"="1"

    "NoChange"="1"



    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

    "Installed"="1"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"=""

    "hkey"="HKLM"

    "command"=""

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlPanel]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="cmd32"

    "hkey"="HKLM"

    "command"="C:\\WINDOWS\\system32\\cmd32.exe internat.dll,LoadKeyboardProfile"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctpmon]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="ctpmon"

    "hkey"="HKCU"

    "command"="ctpmon.exe"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="ISUSPM"

    "hkey"="HKLM"

    "command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="issch"

    "hkey"="HKLM"

    "command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="dumprep 0 -k"

    "hkey"="HKLM"

    "command"="%systemroot%\\system32\\dumprep 0 -k"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lnwin.exe]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="lnwin"

    "hkey"="HKLM"

    "command"="C:\\WINDOWS\\system32\\lnwin.exe"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="regsvr32 /s mqrt"

    "hkey"="HKLM"

    "command"="regsvr32 /s mqrt.dll"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="QlbCtrl"

    "hkey"="HKLM"

    "command"="%ProgramFiles%\\Hewlett-Packard\\HP Quick Launch Buttons\\QlbCtrl.exe /Start"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="RecGuard"

    "hkey"="HKLM"

    "command"="C:\\Windows\\SMINST\\RecGuard.exe"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scbu]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="msdtc"

    "hkey"="HKCU"

    "command"="\"C:\\WINDOWS\\system32\\STEM32~1\\msdtc.exe\" -vt yazb"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidzpwfw]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="w?wexec"

    "hkey"="HKCU"

    "command"="\"C:\\WINDOWS\\system32\\W?nSxS\\w?wexec.exe\" 99001122"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysinter]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="adirss"

    "hkey"="HKLM"

    "command"="C:\\WINDOWS\\system32\\adirss.exe"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskdir]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="taskdir"

    "hkey"="HKCU"

    "command"="C:\\WINDOWS\\system32\\taskdir.exe"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7BD9CAEC-0724-1033-0613-060426060001}]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="Update"

    "hkey"="HKLM"

    "command"="\"C:\\Program Files\\Common Files\\{7BD9CAEC-0724-1033-0613-060426060001}\\Update.exe\" te-110-12-0000273"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7BD9CAEC-0725-1033-0613-060426060001}]

    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

    "item"="Update"

    "hkey"="HKLM"

    "command"="\"C:\\Program Files\\Common Files\\{7BD9CAEC-0725-1033-0613-060426060001}\\Update.exe\" te-110-12-0000273"

    "inimapping"="0"



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

    "wscsvc"=dword:00000002

    "wuauserv"=dword:00000002



    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

    "{81559C35-8464-49F7-BB0E-07A383BEF910}"=""



    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\

    63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\

    6d,73,73,74,79,6c,65,73,00

    "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\

    73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00



    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"





    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

    NetworkService REG_MULTI_SZ DnsCache\0\0

    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

    rpcss REG_MULTI_SZ RpcSs\0\0

    imgsvc REG_MULTI_SZ StiSvc\0\0

    termsvcs REG_MULTI_SZ TermService\0\0





    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]

    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480



    Completion time: 07-02-01 21:40:19

    -----------------------------------------------------------------

    Logfile of HijackThis v1.99.1

    Scan saved at 9:58:37 PM, on 2/1/2007

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\ehome\ehtray.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    C:\Program Files\HP\QuickPlay\QPService.exe

    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe

    C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe

    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

    C:\Program Files\SpywareGuard\sgmain.exe

    C:\Program Files\SpywareGuard\sgbhp.exe

    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

    C:\WINDOWS\system32\mqsvc.exe

    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    C:\WINDOWS\system32\mqtgsvc.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\WINDOWS\eHome\ehmsas.exe

    C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

    C:\WINDOWS\msagent\AgentSvr.exe

    C:\Documents and Settings\Dr. Sarmiento\Desktop\HijackThis.exe



    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop

    R3 - URLSearchHook: (no name) - {F50A1A57-8491-8A3D-C34C-8CBAA2454696} - C:\WINDOWS\system32\wytckd.dll

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Fidelity Toolbar - {76886F39-D4D8-4f00-A354-3CC1C364F363} - C:\WINDOWS\Downloaded Program Files\FidelityToolbar.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL

    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"

    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"

    O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]

    O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup

    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

    O4 - HKLM\..\Run: [VTBookGauge] "C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe"

    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

    O4 - Global Startup: Bluetooth.lnk = ?

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop

    O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} (Fidelity Toolbar) - http://personal.fidelity.com/products/toolbar/FidelityToolbar.cab

    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe

    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
     
  7. JonnyJP

    JonnyJP Thread Starter

    Joined:
    Oct 21, 2005
    Messages:
    31
    I went ahead and installed AVG AntiSpyware 7.5 on the computer, ran a full scan and 14 infections were found with 48 objects total infected. I chose "Delete" for all actions to take and the program went through the process of removing them. I then restarted my computer, ran AVG again to do another full scan and it found 3 of the same 14 infections it found before.. This time I chose the action taken for them to be "Delete After Reboot." AVG prompted to resart the PC, when windows came back up I didn't notice AVG run to follow through on the removal, but I went ahead and did another full scan (this time finding nothing).

    Apart from that, when I try to update windows through IE it finishes the downloading process and begins to install them but once it gets past 2 or 3 the PC blacks out, I get a quick blue screen with an error on it, and the computer just boots back into windows. It does this repeatedly with no success. I am also getting a "services and app" error "Send/Don't Send Error Report" each time the computer boots, sometimes following with the NT shutdown message. Thanks again for all your help.

    Here is the last AVG Report, where it found 3 infections (that should now be gone), and a new HJT log (I also have the 1st AVG report with the 14 infections if needed):

    ---------------------------------------------------------

    AVG Anti-Spyware - Scan Report

    ---------------------------------------------------------



    + Created at: 2:15:25 AM 2/2/2007

    + Scan result:


    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022075.dll -> Adware.PurityScan : No action taken.
    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022069.dll -> Adware.Softomate : No action taken.
    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022070.dll -> Adware.Softomate : No action taken.
    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022071.dll -> Adware.Softomate : No action taken.
    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022072.dll -> Adware.Softomate : No action taken.
    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022073.dll -> Adware.Softomate : No action taken.
    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022074.dll -> Adware.Softomate : No action taken.
    C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP41\A0022068.exe -> Trojan.Small : No action taken.


    ::Report end

    ----------------------------------------------------------

    Logfile of HijackThis v1.99.1

    Scan saved at 2:26:23 AM, on 2/2/2007

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\ehome\ehtray.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    C:\Program Files\HP\QuickPlay\QPService.exe

    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe

    C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

    C:\Program Files\SpywareGuard\sgmain.exe

    C:\WINDOWS\system32\mqsvc.exe

    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    C:\Program Files\SpywareGuard\sgbhp.exe

    C:\WINDOWS\system32\mqtgsvc.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\WINDOWS\eHome\ehmsas.exe

    C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

    C:\WINDOWS\system32\wuauclt.exe

    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

    C:\Documents and Settings\Dr. Sarmiento\Desktop\HijackThis.exe



    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop

    R3 - URLSearchHook: (no name) - {F50A1A57-8491-8A3D-C34C-8CBAA2454696} - C:\WINDOWS\system32\wytckd.dll (file missing)

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Fidelity Toolbar - {76886F39-D4D8-4f00-A354-3CC1C364F363} - C:\WINDOWS\Downloaded Program Files\FidelityToolbar.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL

    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"

    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"

    O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]

    O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup

    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

    O4 - HKLM\..\Run: [VTBookGauge] "C:\Program Files\Village Tronic VTBook DH\Driver\VTBookGauge.exe"

    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

    O4 - Global Startup: Bluetooth.lnk = ?

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop

    O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} (Fidelity Toolbar) - http://personal.fidelity.com/products/toolbar/FidelityToolbar.cab

    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe

    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please run combofix again and post the results.
     
  9. JonnyJP

    JonnyJP Thread Starter

    Joined:
    Oct 21, 2005
    Messages:
    31
    My boss didn't want to deal with the hassle so he called HP technical support and they talked him through reinstalling windows. I know we would've gotten it running fine soon if he just would've waited, but he's not the most patient person. Thank you again for all your time and help cybertech. :rolleyes:
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Thanks for letting me know! (y)

    I know you put a lot of work into trying to fix his machine...

    Next time he wants help you should tell him to call HP! ;)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/540073

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice