BITS and Malware Removal Problems

rmon123 · 2007/12/11

My wife's computer became infected with some malware that I can not seem to remove. I have used several tools to do so and our problem remains. In the local settings, temp folder it constantly produces BIT25A.tmp, BIT28.tmp, etc. files at the rate of several hundred to a thousand a day. The computer constantly receives inbound hits from 77.91.228.180 (rite.net in Amsterdam) according to AVG v 7.5. These inbound attemps are blocked by filter device according to AVG firewall. The only way I can stop these temp files and inbound attemps is by stopping and disabling the Background Intelligent Transfer Services in XP's services or disabling the wireless connection. Virus and Spyware scans from the normal software are not picking up anything or eliminating this pesk. Any help would be very much appreciated.

Below is my Hijack This log and below that will be the Deckard log generated a few minutes ago.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:46 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpboid.exe
C:\AAA\Tools\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe "
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180003702518
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8340 bytes

And now Deckard........

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-12-11 04:55:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-12-11 09:55:53 UTC - RP3 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:19 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpboid.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\AAA\Tools\HP_Administrator.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe "
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180003702518
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8456 bytes

-- HijackThis Fixed Entries (C:\AAA\Tools\backups\) ----------------------------

backup-20071125-130821-374 O2 - BHO: MSVPS System - {48F763FA-3001-4C76-90E5-61FD87440AC8} - C:\WINDOWS\popnetnfv.dll
backup-20071125-130821-532 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
backup-20071125-130821-579 O3 - Toolbar: The jokwmp - {2623E5C5-B0C2-4300-8C63-9F51D133CA0A} - C:\WINDOWS\jokwmp.dll
backup-20071125-130821-802 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-180526-211 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181205-698 O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
backup-20071125-181205-843 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181206-115 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
backup-20071125-181206-147 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20071125-181206-325 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
backup-20071125-181206-511 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181206-607 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
backup-20071125-181947-231 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181947-282 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
backup-20071125-181947-293 O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
backup-20071125-181947-451 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181947-470 O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
backup-20071125-181947-534 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181948-187 O21 - SSODL: msmhost - {20FDDA45-BB27-4D7F-846D-E7CAC40C9EF0} - C:\WINDOWS\msmhost.dll (file missing)
backup-20071125-181948-393 O21 - SSODL: sapnet - {2E9586AB-746B-40BF-ADF4-1AAA391BBEA7} - C:\WINDOWS\sapnet.dll
backup-20071125-181948-539 O21 - SSODL: rmvgor - {CD01EB65-05ED-4DEC-BCFC-7B031B166EC6} - C:\WINDOWS\rmvgor.dll
backup-20071125-181948-836 O21 - SSODL: msmdev - {C9FC2D40-F16B-4FBE-8743-03A9835A9E89} - C:\WINDOWS\msmdev.dll (file missing)
backup-20071125-182350-194 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-183039-322 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071126-041312-107 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
backup-20071126-041312-938 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071126-055345-494 O21 - SSODL: msmhost - {C82EB488-A689-43DE-9B05-FD0F9EC699A6} - C:\WINDOWS\msmhost.dll (file missing)
backup-20071126-055345-814 O21 - SSODL: msmdev - {28790219-3E48-4DA5-922D-3AC15DA27D50} - C:\WINDOWS\msmdev.dll (file missing)
backup-20071126-055345-842 O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
backup-20071126-200109-455 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-050021-776 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-060456-660 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-074157-273 O21 - SSODL: rmvgor - {8557510B-C126-4174-9499-9BD55EFE7D9E} - C:\WINDOWS\rmvgor.dll
backup-20071127-074157-739 O21 - SSODL: sapnet - {A634BA13-B02D-42BA-BE4E-EA46E008B24A} - C:\WINDOWS\sapnet.dll
backup-20071127-091609-247 O21 - SSODL: sapnet - {D956924A-F070-4496-B214-E9AAF384C0BD} - C:\WINDOWS\sapnet.dll
backup-20071127-091610-935 O21 - SSODL: rmvgor - {F0937175-068F-49AF-AB71-1D768428F8F5} - C:\WINDOWS\rmvgor.dll
backup-20071202-122742-704 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.10) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.10>
R3 AR5211 (NETGEAR WPN311 V1H3 Wireless Adapter Service) - c:\windows\system32\drivers\wpn311.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>
R3 catchme - c:\docume~1\hp_adm~1\locals~1\temp\catchme.sys (file missing)

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>

S4 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A24103C&REV_10\4&1C88B56&0&18A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A24103C&REV_10\4&1C88B56&0&18A4
Service: RTL8023xp

-- Scheduled Tasks -------------------------------------------------------------

2007-12-11 03:58:01 338 --a------ C:\WINDOWS\Tasks\HP Usg Daily FY04.job
2007-12-11 02:04:09 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2007-11-11 and 2007-12-11 -----------------------------

2007-12-10 05:28:59 0 d-------- C:\WINDOWS\ERUNT
2007-12-10 04:51:26 0 d-------- C:\!KillBox
2007-12-10 03:51:46 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-09 11:30:17 0 d-------- C:\Program Files\RegCleaner
2007-12-06 04:28:45 0 d-------- C:\Program Files\a-squared HiJackFree
2007-12-05 06:02:16 0 d-------- C:\Program Files\a-squared Anti-Dialer
2007-12-03 07:42:47 0 d-------- C:\Documents and Settings\ric\Application Data\Logitech
2007-12-03 07:41:54 0 d-------- C:\Documents and Settings\ric\Application Data\AVG7
2007-12-03 07:41:48 0 d-------- C:\Documents and Settings\ric\Application Data\Sunbelt Software
2007-12-03 07:41:41 0 d-------- C:\Documents and Settings\ric\Application Data\Share-to-Web Upload Folder
2007-12-03 07:40:19 0 dr------- C:\Documents and Settings\ric\Favorites
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Desktop
2007-12-03 07:40:19 0 d--hs---- C:\Documents and Settings\ric\Cookies
2007-12-03 07:40:19 0 dr-h----- C:\Documents and Settings\ric\Application Data
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Symantec
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\SampleView
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Real
2007-12-03 07:40:19 0 d---s---- C:\Documents and Settings\ric\Application Data\Microsoft
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Intuit
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Identities
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\ATI
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Apple Computer
2007-12-03 07:40:18 0 d-------- C:\Documents and Settings\ric\WINDOWS
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Templates
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\Start Menu
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\SendTo
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\Recent
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\PrintHood
2007-12-03 07:40:18 1048576 --ah----- C:\Documents and Settings\ric\NTUSER.DAT
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\NetHood
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\My Documents
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Local Settings
2007-12-02 14:29:27 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2007-12-02 14:06:02 0 d-------- C:\Program Files\Opera
2007-12-02 13:12:25 0 d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-12-02 11:11:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-02 11:10:38 0 d-------- C:\Program Files\Security Task Manager
2007-12-02 09:41:50 0 dr-h----- C:\$VAULT$.AVG
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-12-02 08:49:58 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sunbelt Software
2007-12-02 08:49:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-12-02 08:49:11 0 d-------- C:\Program Files\Sunbelt Software
2007-11-30 14:57:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-30 14:53:25 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 16:16:50 0 d-------- C:\E2
2007-11-25 13:15:36 3170 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-25 12:02:09 0 d-------- C:\Program Files\Yahoo!
2007-11-25 12:02:03 0 d-------- C:\Program Files\CCleaner
2007-11-25 07:20:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-25 07:20:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-24 19:29:09 0 d-------- C:\Program Files\Windows Defender
2007-11-18 18:55:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2007-11-17 13:38:38 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-11-11 10:05:47 0 d-------- C:\dji_talkturkey

-- Find3M Report ---------------------------------------------------------------

2007-12-10 05:38:43 336 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-08 17:04:30 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2007-12-08 17:01:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-08 17:01:03 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2007-12-03 07:40:42 0 d-------- C:\Program Files\Web Publish
2007-12-02 14:06:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Opera
2007-11-30 14:56:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-30 14:31:24 0 d-------- C:\Program Files\Common Files
2007-11-26 06:20:44 0 d-------- C:\Program Files\Java
2007-11-26 05:32:40 0 d-------- C:\Program Files\WildTangent
2007-11-25 18:19:53 0 d-------- C:\Program Files\Google
2007-11-25 18:02:29 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Webshots
2007-11-25 09:08:47 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-24 15:47:04 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2007-11-06 17:45:19 0 d-------- C:\Program Files\Real
2007-11-06 17:45:18 0 d-------- C:\Program Files\Common Files\Real
2007-11-06 17:44:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-10-25 16:31:49 0 d-a------ C:\Program Files\Common Files\LightScribe
2007-10-13 10:36:06 0 d-------- C:\Program Files\Inspiration 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 03:56 PM]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [08/02/2005 06:19 PM C:\WINDOWS\arpwrmsg.exe]
"ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/10/2005 02:33 AM]
"HPHUPD08 "= "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 06:35 PM]
"HPBootOp "= "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/25/2005 05:34 PM]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 01:12 AM]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [04/06/2004 05:28 AM]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 02:54 PM]
"HPHmon06 "= "C:\WINDOWS\system32\hphmon06.exe" [06/06/2004 11:42 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07/12/2006 06:55 PM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/30/2007 02:53 PM]
"SBCSTray "= "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]
"a-squared "= "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [07/16/2007 09:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM "= "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [02/25/2007 08:28 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 12:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

COULD NOT POST ALL OF DECKARDS DUE TO CHARACTERS ALLOWED IN THREAD

-- End of Deckard's System Scanner: finished at 2007-12-11 04:58:22 ------------

Thanks for your help!!

Ric

PeteC · 2007/12/11

rmon123 - Welcome to the Board

Split the log across 2 posts.

rmon123 · 2007/12/11

"rmon123 said: ↑

My wife's computer became infected with some malware that I can not seem to remove. I have used several tools to do so and our problem remains. In the local settings, temp folder it constantly produces BIT25A.tmp, BIT28.tmp, etc. files at the rate of several hundred to a thousand a day. The computer constantly receives inbound hits from 77.91.228.180 (rite.net in Amsterdam) according to AVG v 7.5. These inbound attemps are blocked by filter device according to AVG firewall. The only way I can stop these temp files and inbound attemps is by stopping and disabling the Background Intelligent Transfer Services in XP's services or disabling the wireless connection. Virus and Spyware scans from the normal software are not picking up anything or eliminating this pesk. Any help would be very much appreciated.

BELOW is all of deckard's Log File that I could not post originally due to size

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-12-11 04:55:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-12-11 09:55:53 UTC - RP3 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:19 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpboid.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\AAA\Tools\HP_Administrator.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe "
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180003702518
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8456 bytes

-- HijackThis Fixed Entries (C:\AAA\Tools\backups\) ----------------------------

backup-20071125-130821-374 O2 - BHO: MSVPS System - {48F763FA-3001-4C76-90E5-61FD87440AC8} - C:\WINDOWS\popnetnfv.dll
backup-20071125-130821-532 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
backup-20071125-130821-579 O3 - Toolbar: The jokwmp - {2623E5C5-B0C2-4300-8C63-9F51D133CA0A} - C:\WINDOWS\jokwmp.dll
backup-20071125-130821-802 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-180526-211 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181205-698 O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
backup-20071125-181205-843 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181206-115 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
backup-20071125-181206-147 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20071125-181206-325 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
backup-20071125-181206-511 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181206-607 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
backup-20071125-181947-231 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181947-282 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
backup-20071125-181947-293 O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
backup-20071125-181947-451 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181947-470 O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
backup-20071125-181947-534 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181948-187 O21 - SSODL: msmhost - {20FDDA45-BB27-4D7F-846D-E7CAC40C9EF0} - C:\WINDOWS\msmhost.dll (file missing)
backup-20071125-181948-393 O21 - SSODL: sapnet - {2E9586AB-746B-40BF-ADF4-1AAA391BBEA7} - C:\WINDOWS\sapnet.dll
backup-20071125-181948-539 O21 - SSODL: rmvgor - {CD01EB65-05ED-4DEC-BCFC-7B031B166EC6} - C:\WINDOWS\rmvgor.dll
backup-20071125-181948-836 O21 - SSODL: msmdev - {C9FC2D40-F16B-4FBE-8743-03A9835A9E89} - C:\WINDOWS\msmdev.dll (file missing)
backup-20071125-182350-194 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-183039-322 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071126-041312-107 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
backup-20071126-041312-938 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071126-055345-494 O21 - SSODL: msmhost - {C82EB488-A689-43DE-9B05-FD0F9EC699A6} - C:\WINDOWS\msmhost.dll (file missing)
backup-20071126-055345-814 O21 - SSODL: msmdev - {28790219-3E48-4DA5-922D-3AC15DA27D50} - C:\WINDOWS\msmdev.dll (file missing)
backup-20071126-055345-842 O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
backup-20071126-200109-455 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-050021-776 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-060456-660 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-074157-273 O21 - SSODL: rmvgor - {8557510B-C126-4174-9499-9BD55EFE7D9E} - C:\WINDOWS\rmvgor.dll
backup-20071127-074157-739 O21 - SSODL: sapnet - {A634BA13-B02D-42BA-BE4E-EA46E008B24A} - C:\WINDOWS\sapnet.dll
backup-20071127-091609-247 O21 - SSODL: sapnet - {D956924A-F070-4496-B214-E9AAF384C0BD} - C:\WINDOWS\sapnet.dll
backup-20071127-091610-935 O21 - SSODL: rmvgor - {F0937175-068F-49AF-AB71-1D768428F8F5} - C:\WINDOWS\rmvgor.dll
backup-20071202-122742-704 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.10) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.10>
R3 AR5211 (NETGEAR WPN311 V1H3 Wireless Adapter Service) - c:\windows\system32\drivers\wpn311.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>
R3 catchme - c:\docume~1\hp_adm~1\locals~1\temp\catchme.sys (file missing)

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>

S4 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A24103C&REV_10\4&1C88B56&0&18A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A24103C&REV_10\4&1C88B56&0&18A4
Service: RTL8023xp

-- Scheduled Tasks -------------------------------------------------------------

2007-12-11 03:58:01 338 --a------ C:\WINDOWS\Tasks\HP Usg Daily FY04.job
2007-12-11 02:04:09 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2007-11-11 and 2007-12-11 -----------------------------

2007-12-10 05:28:59 0 d-------- C:\WINDOWS\ERUNT
2007-12-10 04:51:26 0 d-------- C:\!KillBox
2007-12-10 03:51:46 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-09 11:30:17 0 d-------- C:\Program Files\RegCleaner
2007-12-06 04:28:45 0 d-------- C:\Program Files\a-squared HiJackFree
2007-12-05 06:02:16 0 d-------- C:\Program Files\a-squared Anti-Dialer
2007-12-03 07:42:47 0 d-------- C:\Documents and Settings\ric\Application Data\Logitech
2007-12-03 07:41:54 0 d-------- C:\Documents and Settings\ric\Application Data\AVG7
2007-12-03 07:41:48 0 d-------- C:\Documents and Settings\ric\Application Data\Sunbelt Software
2007-12-03 07:41:41 0 d-------- C:\Documents and Settings\ric\Application Data\Share-to-Web Upload Folder
2007-12-03 07:40:19 0 dr------- C:\Documents and Settings\ric\Favorites
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Desktop
2007-12-03 07:40:19 0 d--hs---- C:\Documents and Settings\ric\Cookies
2007-12-03 07:40:19 0 dr-h----- C:\Documents and Settings\ric\Application Data
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Symantec
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\SampleView
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Real
2007-12-03 07:40:19 0 d---s---- C:\Documents and Settings\ric\Application Data\Microsoft
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Intuit
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Identities
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\ATI
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Apple Computer
2007-12-03 07:40:18 0 d-------- C:\Documents and Settings\ric\WINDOWS
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Templates
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\Start Menu
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\SendTo
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\Recent
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\PrintHood
2007-12-03 07:40:18 1048576 --ah----- C:\Documents and Settings\ric\NTUSER.DAT
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\NetHood
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\My Documents
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Local Settings
2007-12-02 14:29:27 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2007-12-02 14:06:02 0 d-------- C:\Program Files\Opera
2007-12-02 13:12:25 0 d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-12-02 11:11:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-02 11:10:38 0 d-------- C:\Program Files\Security Task Manager
2007-12-02 09:41:50 0 dr-h----- C:\$VAULT$.AVG
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-12-02 08:49:58 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sunbelt Software
2007-12-02 08:49:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-12-02 08:49:11 0 d-------- C:\Program Files\Sunbelt Software
2007-11-30 14:57:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-30 14:53:25 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 16:16:50 0 d-------- C:\E2
2007-11-25 13:15:36 3170 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-25 12:02:09 0 d-------- C:\Program Files\Yahoo!
2007-11-25 12:02:03 0 d-------- C:\Program Files\CCleaner
2007-11-25 07:20:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-25 07:20:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-24 19:29:09 0 d-------- C:\Program Files\Windows Defender
2007-11-18 18:55:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2007-11-17 13:38:38 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-11-11 10:05:47 0 d-------- C:\dji_talkturkey

-- Find3M Report ---------------------------------------------------------------

2007-12-10 05:38:43 336 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-08 17:04:30 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2007-12-08 17:01:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-08 17:01:03 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2007-12-03 07:40:42 0 d-------- C:\Program Files\Web Publish
2007-12-02 14:06:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Opera
2007-11-30 14:56:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-30 14:31:24 0 d-------- C:\Program Files\Common Files
2007-11-26 06:20:44 0 d-------- C:\Program Files\Java
2007-11-26 05:32:40 0 d-------- C:\Program Files\WildTangent
2007-11-25 18:19:53 0 d-------- C:\Program Files\Google
2007-11-25 18:02:29 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Webshots
2007-11-25 09:08:47 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-24 15:47:04 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2007-11-06 17:45:19 0 d-------- C:\Program Files\Real
2007-11-06 17:45:18 0 d-------- C:\Program Files\Common Files\Real
2007-11-06 17:44:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-10-25 16:31:49 0 d-a------ C:\Program Files\Common Files\LightScribe
2007-10-13 10:36:06 0 d-------- C:\Program Files\Inspiration 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 03:56 PM]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [08/02/2005 06:19 PM C:\WINDOWS\arpwrmsg.exe]
"ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/10/2005 02:33 AM]
"HPHUPD08 "= "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 06:35 PM]
"HPBootOp "= "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/25/2005 05:34 PM]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 01:12 AM]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [04/06/2004 05:28 AM]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 02:54 PM]
"HPHmon06 "= "C:\WINDOWS\system32\hphmon06.exe" [06/06/2004 11:42 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07/12/2006 06:55 PM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/30/2007 02:53 PM]
"SBCSTray "= "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]
"a-squared "= "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [07/16/2007 09:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM "= "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [02/25/2007 08:28 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 12:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/10/2005 2:33:06 AM]
Creating Keepsakes Scrapbook Designer Event Reminder.lnk - C:\Program Files\Scrapbook Designer\scrapremind.exe [3/5/2004 2:40:22 PM]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [1/20/2004 3:10:40 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 1:23:26 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2/25/2007 8:28:16 AM]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2/22/2006 2:47:44 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [11/23/2005 4:33:52 PM]
NETGEAR WPN311 Wireless Assistant.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2/21/2005 9:42:24 PM]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [3/22/2007 2:38:38 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [9/22/2005 12:59:19 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 11/30/2007 02:53 PM 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN311 Wireless Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN311 Wireless Assistant.lnk
backup=C:\WINDOWS\pss\NETGEAR WPN311 Wireless Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose "=3 (0x3)
"gusvc "=3 (0x3)
"ACS "=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCDrProfiler "=
"Share-to-Web Namespace Daemon "=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
Click to expand...

rmon123 · 2007/12/11

BITS and Malware 2

Pete - thanks for looking and I hope I am posting this Deckard's log correctly for you. If not let me know how.

DECKARDS

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-12-11 04:55:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-12-11 09:55:53 UTC - RP3 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:19 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpboid.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\AAA\Tools\HP_Administrator.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe "
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180003702518
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8456 bytes

-- HijackThis Fixed Entries (C:\AAA\Tools\backups\) ----------------------------

backup-20071125-130821-374 O2 - BHO: MSVPS System - {48F763FA-3001-4C76-90E5-61FD87440AC8} - C:\WINDOWS\popnetnfv.dll
backup-20071125-130821-532 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
backup-20071125-130821-579 O3 - Toolbar: The jokwmp - {2623E5C5-B0C2-4300-8C63-9F51D133CA0A} - C:\WINDOWS\jokwmp.dll
backup-20071125-130821-802 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-180526-211 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181205-698 O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
backup-20071125-181205-843 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181206-115 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
backup-20071125-181206-147 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20071125-181206-325 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
backup-20071125-181206-511 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181206-607 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
backup-20071125-181947-231 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181947-282 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
backup-20071125-181947-293 O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
backup-20071125-181947-451 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071125-181947-470 O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
backup-20071125-181947-534 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-181948-187 O21 - SSODL: msmhost - {20FDDA45-BB27-4D7F-846D-E7CAC40C9EF0} - C:\WINDOWS\msmhost.dll (file missing)
backup-20071125-181948-393 O21 - SSODL: sapnet - {2E9586AB-746B-40BF-ADF4-1AAA391BBEA7} - C:\WINDOWS\sapnet.dll
backup-20071125-181948-539 O21 - SSODL: rmvgor - {CD01EB65-05ED-4DEC-BCFC-7B031B166EC6} - C:\WINDOWS\rmvgor.dll
backup-20071125-181948-836 O21 - SSODL: msmdev - {C9FC2D40-F16B-4FBE-8743-03A9835A9E89} - C:\WINDOWS\msmdev.dll (file missing)
backup-20071125-182350-194 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071125-183039-322 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071126-041312-107 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
backup-20071126-041312-938 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071126-055345-494 O21 - SSODL: msmhost - {C82EB488-A689-43DE-9B05-FD0F9EC699A6} - C:\WINDOWS\msmhost.dll (file missing)
backup-20071126-055345-814 O21 - SSODL: msmdev - {28790219-3E48-4DA5-922D-3AC15DA27D50} - C:\WINDOWS\msmdev.dll (file missing)
backup-20071126-055345-842 O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
backup-20071126-200109-455 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-050021-776 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-060456-660 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20071127-074157-273 O21 - SSODL: rmvgor - {8557510B-C126-4174-9499-9BD55EFE7D9E} - C:\WINDOWS\rmvgor.dll
backup-20071127-074157-739 O21 - SSODL: sapnet - {A634BA13-B02D-42BA-BE4E-EA46E008B24A} - C:\WINDOWS\sapnet.dll
backup-20071127-091609-247 O21 - SSODL: sapnet - {D956924A-F070-4496-B214-E9AAF384C0BD} - C:\WINDOWS\sapnet.dll
backup-20071127-091610-935 O21 - SSODL: rmvgor - {F0937175-068F-49AF-AB71-1D768428F8F5} - C:\WINDOWS\rmvgor.dll
backup-20071202-122742-704 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.10) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.10>
R3 AR5211 (NETGEAR WPN311 V1H3 Wireless Adapter Service) - c:\windows\system32\drivers\wpn311.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>
R3 catchme - c:\docume~1\hp_adm~1\locals~1\temp\catchme.sys (file missing)

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>

S4 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A24103C&REV_10\4&1C88B56&0&18A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A24103C&REV_10\4&1C88B56&0&18A4
Service: RTL8023xp

-- Scheduled Tasks -------------------------------------------------------------

2007-12-11 03:58:01 338 --a------ C:\WINDOWS\Tasks\HP Usg Daily FY04.job
2007-12-11 02:04:09 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2007-11-11 and 2007-12-11 -----------------------------

2007-12-10 05:28:59 0 d-------- C:\WINDOWS\ERUNT
2007-12-10 04:51:26 0 d-------- C:\!KillBox
2007-12-10 03:51:46 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-09 11:30:17 0 d-------- C:\Program Files\RegCleaner
2007-12-06 04:28:45 0 d-------- C:\Program Files\a-squared HiJackFree
2007-12-05 06:02:16 0 d-------- C:\Program Files\a-squared Anti-Dialer
2007-12-03 07:42:47 0 d-------- C:\Documents and Settings\ric\Application Data\Logitech
2007-12-03 07:41:54 0 d-------- C:\Documents and Settings\ric\Application Data\AVG7
2007-12-03 07:41:48 0 d-------- C:\Documents and Settings\ric\Application Data\Sunbelt Software
2007-12-03 07:41:41 0 d-------- C:\Documents and Settings\ric\Application Data\Share-to-Web Upload Folder
2007-12-03 07:40:19 0 dr------- C:\Documents and Settings\ric\Favorites
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Desktop
2007-12-03 07:40:19 0 d--hs---- C:\Documents and Settings\ric\Cookies
2007-12-03 07:40:19 0 dr-h----- C:\Documents and Settings\ric\Application Data
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Symantec
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\SampleView
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Real
2007-12-03 07:40:19 0 d---s---- C:\Documents and Settings\ric\Application Data\Microsoft
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Intuit
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Identities
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\ATI
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Apple Computer
2007-12-03 07:40:18 0 d-------- C:\Documents and Settings\ric\WINDOWS
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Templates
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\Start Menu
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\SendTo
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\Recent
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\PrintHood
2007-12-03 07:40:18 1048576 --ah----- C:\Documents and Settings\ric\NTUSER.DAT
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\NetHood
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\My Documents
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Local Settings
2007-12-02 14:29:27 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2007-12-02 14:06:02 0 d-------- C:\Program Files\Opera
2007-12-02 13:12:25 0 d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-12-02 11:11:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-02 11:10:38 0 d-------- C:\Program Files\Security Task Manager
2007-12-02 09:41:50 0 dr-h----- C:\$VAULT$.AVG
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-12-02 08:49:58 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sunbelt Software
2007-12-02 08:49:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-12-02 08:49:11 0 d-------- C:\Program Files\Sunbelt Software
2007-11-30 14:57:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-30 14:53:25 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 16:16:50 0 d-------- C:\E2
2007-11-25 13:15:36 3170 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-25 12:02:09 0 d-------- C:\Program Files\Yahoo!
2007-11-25 12:02:03 0 d-------- C:\Program Files\CCleaner
2007-11-25 07:20:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-25 07:20:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-24 19:29:09 0 d-------- C:\Program Files\Windows Defender
2007-11-18 18:55:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2007-11-17 13:38:38 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-11-11 10:05:47 0 d-------- C:\dji_talkturkey

-- Find3M Report ---------------------------------------------------------------

2007-12-10 05:38:43 336 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-08 17:04:30 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2007-12-08 17:01:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-08 17:01:03 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2007-12-03 07:40:42 0 d-------- C:\Program Files\Web Publish
2007-12-02 14:06:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Opera
2007-11-30 14:56:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-30 14:31:24 0 d-------- C:\Program Files\Common Files
2007-11-26 06:20:44 0 d-------- C:\Program Files\Java
2007-11-26 05:32:40 0 d-------- C:\Program Files\WildTangent
2007-11-25 18:19:53 0 d-------- C:\Program Files\Google
2007-11-25 18:02:29 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Webshots
2007-11-25 09:08:47 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-24 15:47:04 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2007-11-06 17:45:19 0 d-------- C:\Program Files\Real
2007-11-06 17:45:18 0 d-------- C:\Program Files\Common Files\Real
2007-11-06 17:44:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-10-25 16:31:49 0 d-a------ C:\Program Files\Common Files\LightScribe
2007-10-13 10:36:06 0 d-------- C:\Program Files\Inspiration 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 03:56 PM]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [08/02/2005 06:19 PM C:\WINDOWS\arpwrmsg.exe]
"ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/10/2005 02:33 AM]
"HPHUPD08 "= "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 06:35 PM]
"HPBootOp "= "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/25/2005 05:34 PM]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 01:12 AM]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [04/06/2004 05:28 AM]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 02:54 PM]
"HPHmon06 "= "C:\WINDOWS\system32\hphmon06.exe" [06/06/2004 11:42 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07/12/2006 06:55 PM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/30/2007 02:53 PM]
"SBCSTray "= "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]
"a-squared "= "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [07/16/2007 09:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM "= "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [02/25/2007 08:28 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 12:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/10/2005 2:33:06 AM]
Creating Keepsakes Scrapbook Designer Event Reminder.lnk - C:\Program Files\Scrapbook Designer\scrapremind.exe [3/5/2004 2:40:22 PM]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [1/20/2004 3:10:40 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 1:23:26 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2/25/2007 8:28:16 AM]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2/22/2006 2:47:44 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [11/23/2005 4:33:52 PM]
NETGEAR WPN311 Wireless Assistant.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2/21/2005 9:42:24 PM]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [3/22/2007 2:38:38 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [9/22/2005 12:59:19 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 11/30/2007 02:53 PM 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN311 Wireless Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN311 Wireless Assistant.lnk
backup=C:\WINDOWS\pss\NETGEAR WPN311 Wireless Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose "=3 (0x3)
"gusvc "=3 (0x3)
"ACS "=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCDrProfiler "=
"Share-to-Web Namespace Daemon "=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

-- End of Deckard's System Scanner: finished at 2007-12-11 04:58:22 ------------

rmon123 · 2007/12/11

"PeteC said: ↑

rmon123 - Welcome to the Board

Split the log across 2 posts.
Click to expand...

Thanks for the welcome. I tried to reply with the Deckard log and it has not show up...most be doing something wrong. Please let me know when you get a chance.

Thanks,

Ric

PeteC · 2007/12/11

I think you managed it

noahdfear · 2007/12/11

Hi Ric,

I'm going to recommend a tool based on what I've seen you fixed with HijackThis. This tool better targets the hidden stuff that accompanies the infection.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now reboot into Safe Mode and logon to your user account.

Open the extracted SDFix folder and double click RunThis.cmd to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Post the contents of the Report.txt along with a new dss log.

rmon123 · 2007/12/11

"noahdfear said: ↑

Hi Ric,

I'm going to recommend a tool based on what I've seen you fixed with HijackThis. This tool better targets the hidden stuff that accompanies the infection.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now reboot into Safe Mode and logon to your user account.

Open the extracted SDFix folder and double click RunThis.cmd to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Post the contents of the Report.txt along with a new dss log.

Click to expand...

SDFix Log and Thanks!!

SDFix: Version 1.117

Run by HP_Administrator on Tue 12/11/2007 at 08:13 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 20:19:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d]
"CurrentCacheFile "= "C:\WINDOWS\SoftwareDistribution\EventCache\{D2F6B239-CD26-4657-865F-1B3FFF54A935}.bin "
"FlushCacheFiles "=str(7):" "

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Finished!

Deckard's Log

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-12-11 20:31:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:19 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\AAA\Tools\HP_ADM~1.EXE

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe "
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180003702518
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8514 bytes

-- Files created between 2007-11-11 and 2007-12-11 -----------------------------

2007-12-10 05:28:59 0 d-------- C:\WINDOWS\ERUNT
2007-12-10 04:51:26 0 d-------- C:\!KillBox
2007-12-10 03:51:46 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-09 11:30:17 0 d-------- C:\Program Files\RegCleaner
2007-12-06 04:28:45 0 d-------- C:\Program Files\a-squared HiJackFree
2007-12-05 06:02:16 0 d-------- C:\Program Files\a-squared Anti-Dialer
2007-12-03 07:42:47 0 d-------- C:\Documents and Settings\ric\Application Data\Logitech
2007-12-03 07:41:54 0 d-------- C:\Documents and Settings\ric\Application Data\AVG7
2007-12-03 07:41:48 0 d-------- C:\Documents and Settings\ric\Application Data\Sunbelt Software
2007-12-03 07:41:41 0 d-------- C:\Documents and Settings\ric\Application Data\Share-to-Web Upload Folder
2007-12-03 07:40:19 0 dr------- C:\Documents and Settings\ric\Favorites
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Desktop
2007-12-03 07:40:19 0 d--hs---- C:\Documents and Settings\ric\Cookies
2007-12-03 07:40:19 0 dr-h----- C:\Documents and Settings\ric\Application Data
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Symantec
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\SampleView
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Real
2007-12-03 07:40:19 0 d---s---- C:\Documents and Settings\ric\Application Data\Microsoft
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Intuit
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Identities
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\ATI
2007-12-03 07:40:19 0 d-------- C:\Documents and Settings\ric\Application Data\Apple Computer
2007-12-03 07:40:18 0 d-------- C:\Documents and Settings\ric\WINDOWS
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Templates
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\Start Menu
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\SendTo
2007-12-03 07:40:18 0 dr-h----- C:\Documents and Settings\ric\Recent
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\PrintHood
2007-12-03 07:40:18 1048576 --ah----- C:\Documents and Settings\ric\NTUSER.DAT
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\NetHood
2007-12-03 07:40:18 0 dr------- C:\Documents and Settings\ric\My Documents
2007-12-03 07:40:18 0 d--h----- C:\Documents and Settings\ric\Local Settings
2007-12-02 14:29:27 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2007-12-02 14:06:02 0 d-------- C:\Program Files\Opera
2007-12-02 13:12:25 0 d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-12-02 11:11:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-02 11:10:38 0 d-------- C:\Program Files\Security Task Manager
2007-12-02 09:41:50 0 dr-h----- C:\$VAULT$.AVG
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-12-02 09:13:01 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-12-02 08:49:58 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sunbelt Software
2007-12-02 08:49:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-12-02 08:49:11 0 d-------- C:\Program Files\Sunbelt Software
2007-11-30 14:57:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-30 14:53:25 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 14:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 16:16:50 0 d-------- C:\E2
2007-11-25 13:15:36 3170 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-25 12:02:09 0 d-------- C:\Program Files\Yahoo!
2007-11-25 12:02:03 0 d-------- C:\Program Files\CCleaner
2007-11-25 07:20:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-25 07:20:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-24 19:29:09 0 d-------- C:\Program Files\Windows Defender
2007-11-18 18:55:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2007-11-17 13:38:38 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-11-11 10:05:47 0 d-------- C:\dji_talkturkey

-- Find3M Report ---------------------------------------------------------------

2007-12-11 20:19:27 336 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-08 17:04:30 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2007-12-08 17:01:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-08 17:01:03 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2007-12-03 07:40:42 0 d-------- C:\Program Files\Web Publish
2007-12-02 14:06:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Opera
2007-11-30 14:56:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-30 14:31:24 0 d-------- C:\Program Files\Common Files
2007-11-26 06:20:44 0 d-------- C:\Program Files\Java
2007-11-26 05:32:40 0 d-------- C:\Program Files\WildTangent
2007-11-25 18:19:53 0 d-------- C:\Program Files\Google
2007-11-25 18:02:29 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Webshots
2007-11-25 09:08:47 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-24 15:47:04 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2007-11-06 17:45:19 0 d-------- C:\Program Files\Real
2007-11-06 17:45:18 0 d-------- C:\Program Files\Common Files\Real
2007-11-06 17:44:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-10-25 16:31:49 0 d-a------ C:\Program Files\Common Files\LightScribe
2007-10-13 10:36:06 0 d-------- C:\Program Files\Inspiration 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 03:56 PM]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [08/02/2005 06:19 PM C:\WINDOWS\arpwrmsg.exe]
"ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/10/2005 02:33 AM]
"HPHUPD08 "= "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 06:35 PM]
"HPBootOp "= "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/25/2005 05:34 PM]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 01:12 AM]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [04/06/2004 05:28 AM]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 02:54 PM]
"HPHmon06 "= "C:\WINDOWS\system32\hphmon06.exe" [06/06/2004 11:42 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07/12/2006 06:55 PM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/30/2007 02:53 PM]
"SBCSTray "= "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]
"a-squared "= "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [07/16/2007 09:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM "= "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [02/25/2007 08:28 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 12:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/10/2005 2:33:06 AM]
Creating Keepsakes Scrapbook Designer Event Reminder.lnk - C:\Program Files\Scrapbook Designer\scrapremind.exe [3/5/2004 2:40:22 PM]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [1/20/2004 3:10:40 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 1:23:26 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2/25/2007 8:28:16 AM]
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2/22/2006 2:47:44 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [11/23/2005 4:33:52 PM]
NETGEAR WPN311 Wireless Assistant.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2/21/2005 9:42:24 PM]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [3/22/2007 2:38:38 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [9/22/2005 12:59:19 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 11/30/2007 02:53 PM 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN311 Wireless Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN311 Wireless Assistant.lnk
backup=C:\WINDOWS\pss\NETGEAR WPN311 Wireless Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose "=3 (0x3)
"gusvc "=3 (0x3)
"ACS "=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCDrProfiler "=
"Share-to-Web Namespace Daemon "=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

-- End of Deckard's System Scanner: finished at 2007-12-11 20:31:49 ------------

noahdfear · 2007/12/12

I see nothing in those logs to suggest a problem. Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

If the BIT.tmp files are again created, please upload a few of them to my submission channel. They might contain something that will help identify them. Leave a link back to this topic please.

rmon123 · 2007/12/13

Dave I thank you for taking the time to look. Due to my schedule I can't work on this again until tomorrow morning. At that time I will do as you suggest.
Why do you think I keep getting inbound attemps from that IP address in Amsterdam - rite.com? This inbound attemp has a direct relationship with the creation of the tmp bit files????

rmon123 · 2007/12/14

"noahdfear said: ↑

I see nothing in those logs to suggest a problem. Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

If the BIT.tmp files are again created, please upload a few of them to my submission channel. They might contain something that will help identify them. Leave a link back to this topic please.
Click to expand...

Dave - I did use ATF with no improvement. I have submitted a sample of the tmp file to the link above per your request. Thanks for the help.

noahdfear · 2007/12/14

Download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.

Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.

You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.

If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.

Reboot to normal mode when the tool completes.

Post the contents of C:\rapport.txt and a fresh HijackThis log. Let me know if there's any change.

rmon123 · 2007/12/16

SmitFraudFix v2.257

Scan done at 13:16:31.76, Sun 12/16/2007
Run from C:\AAA\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B6AE4358-F2BF-4845-9849-D1E78426077A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B6AE4358-F2BF-4845-9849-D1E78426077A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:07 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\AAA\Tools\HiJackThis.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe "
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180003702518
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8161 bytes

Dave - above are the 2 reports you wanted to see. If BITS services is turned on or started in services I still get the tmp files (BIT25A.tmp for example) and I still get the incoming attemped which is blocked by AVG from 77.91.228.180.

Please let me know your thoughts as these tmp files and incoming attemps did not start until around 11/24/07. Also any info on the tmp file I submitted to you?

Thanks again,

Ric

noahdfear · 2007/12/16

The tmp file you uploaded was completely empty. I'm going to have to do some more researching to see if I can find a link between BITS service and the creation of the temp files. I'll get back to you with further instructions asap.

noahdfear · 2007/12/16

Ughhh ...... just checked that IP you posted. It's not amsterdam ....... it's Moscow, home of much of the scumware currently infecting everyone.

I've found a way to see what BITS is doing. You'll need the Windows XP Service Pack 2 Support Tools. Download and save to your desktop. Either install it, or proceed with the following if you don't want to install the whole package.

Click Start>Run and type %temp% then hit enter to open the temp folder, then make note of any existing folders.

Now, start the support tools installer. The first thing it will do is extract it's contents to a folder in your temp directory, so look for a new folder now. Mine was named IXP000.tmp

Open the new folder and right click>copy the support.cab file, then paste it on your desktop.

Close the temp directory and exit the setup wizard.

Right click the support.cab file on the desktop and select Explore.

Locate the file bitsadmin.exe, right click on it and select Extract.

In the Destination popup, navigate to and select C:\Windows\system32

Once the system32 folder has been selected, click Extract.

Close the support.cab explorer window.

If you installed the whole support tools package, click Start>All Programs>Windows Support Tools>Command Prompt.
If you copied only bitsadmin.exe to system32, click Start>Run and type cmd then hit enter to open a command prompt.

Highlight and copy the entire bolded command below.

bitsadmin /list /allusers /verbose >> "%userprofile%\desktop\jobs.txt "

Now right click and paste the command in the command prompt window then hit enter. It will create a file named jobs.txt on your desktop. Post the contents of that file.

rmon123 · 2007/12/17

Dave - I only copied bitsadmin.exe to system 32....very interesting results, now what? I tried to post the entire job.txt log but crashed my browser, didn't realize it was over 6 MB in size. Anyway to snd the entire log to you?

Below are some sections that conyain that wonderful IP address...just a small fraction in this reply.

PART OF JOB.LOG BELOW!!!!!

GUID: {245BBC47-854F-4A2E-9289-F5F898B3E637} DISPLAY: MyBGTransfer_1
TYPE: DOWNLOAD STATE: ERROR OWNER: LYNN\HP_Administrator
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / 388090
CREATION TIME: 11/28/2007 5:23:49 AM MODIFICATION TIME: 12/16/2007 1:29:09 PM
COMPLETION TIME: UNKNOWN ACL FLAGS:
NOTIFY INTERFACE: UNREGISTERED NOTIFICATION FLAGS: 3
RETRY DELAY: 600 NO PROGRESS TIMEOUT: 1209600 ERROR COUNT: 4
PROXY USAGE: PRECONFIG PROXY LIST: NULL PROXY BYPASS LIST: NULL
ERROR FILE: http://77.91.228.180/get-last-update.php?sid=0&aid=0&said=0&pn=&config=cn -> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ac8zt2.dat
ERROR CODE: 0x80200010 - There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

ERROR CONTEXT: 0x00000005 - The error occurred while the remote file was being processed.

DESCRIPTION:
JOB FILES:
0 / 388090 WORKING http://77.91.228.180/get-last-update.php?sid=0&aid=0&said=0&pn=&config=cn -> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ac8zt2.dat
NOTIFICATION COMMAND LINE: none

GUID: {3D41CD4A-15EC-4036-9B71-E97FA5DD20B5} DISPLAY: MyBGTransfer_1
TYPE: DOWNLOAD STATE: ERROR OWNER: LYNN\HP_Administrator
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / 85946
CREATION TIME: 11/28/2007 5:39:35 AM MODIFICATION TIME: 12/17/2007 3:04:03 AM
COMPLETION TIME: UNKNOWN ACL FLAGS:
NOTIFY INTERFACE: UNREGISTERED NOTIFICATION FLAGS: 3
RETRY DELAY: 600 NO PROGRESS TIMEOUT: 1209600 ERROR COUNT: 4
PROXY USAGE: PRECONFIG PROXY LIST: NULL PROXY BYPASS LIST: NULL
ERROR FILE: http://onsafepro.com/dw.php?sid=0&aid=0&said=0&pn= -> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\desktop_background.zip
ERROR CODE: 0x80200010 - There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

ERROR CONTEXT: 0x00000005 - The error occurred while the remote file was being processed.

DESCRIPTION:
JOB FILES:
0 / 85946 WORKING http://onsafepro.com/dw.php?sid=0&aid=0&said=0&pn= -> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\desktop_background.zip
NOTIFICATION COMMAND LINE: none

GUID: {B8241430-7739-4C30-8D0D-CAF586607C6A} DISPLAY: MyBGTransfer_1
TYPE: DOWNLOAD STATE: ERROR OWNER: LYNN\HP_Administrator
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / 388090
CREATION TIME: 11/28/2007 5:59:08 AM MODIFICATION TIME: 12/17/2007 3:04:05 AM
COMPLETION TIME: UNKNOWN ACL FLAGS:
NOTIFY INTERFACE: UNREGISTERED NOTIFICATION FLAGS: 3
RETRY DELAY: 600 NO PROGRESS TIMEOUT: 1209600 ERROR COUNT: 5
PROXY USAGE: PRECONFIG PROXY LIST: NULL PROXY BYPASS LIST: NULL
ERROR FILE: http://77.91.228.180/get-last-update.php?sid=0&aid=0&said=0&pn=&config=cn -> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ac8zt2.dat
ERROR CODE: 0x80200010 - There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

ERROR CONTEXT: 0x00000005 - The error occurred while the remote file was being processed.

DESCRIPTION:
JOB FILES:
0 / 388090 WORKING http://77.91.228.180/get-last-update.php?sid=0&aid=0&said=0&pn=&config=cn -> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ac8zt2.dat
NOTIFICATION COMMAND LINE: none

Listed 6274 job(s).

noahdfear · 2007/12/17

I sure wasn't expecting a 6 MB log! Lets just nuke them all.

First, make sure BITS is set to manual and stopped. Highlight and copy the bolded line below, including the quotes.

"%allusersprofile%\Application Data\Microsoft\Network\Downloader "

Click Start>Run and paste the command then hit enter. In the folder that opens there will be two files named qmgr0.dat and qmgr1.dat ....... move them to a new folder on your desktop.

Now run ATF cleaner again, making sure to empty the Temp folders. Reboot

Start BITS again when you logon and let me know what happens.

I'd like for you to upload those qmgr*.dat files to my submission channel please. Leave a link back to this topic.

Thanks!

rmon123 · 2007/12/17

"noahdfear said: ↑

I sure wasn't expecting a 6 MB log! Lets just nuke them all.

First, make sure BITS is set to manual and stopped. Highlight and copy the bolded line below, including the quotes.

"%allusersprofile%\Application Data\Microsoft\Network\Downloader "

Click Start>Run and paste the command then hit enter. In the folder that opens there will be two files named qmgr0.dat and qmgr1.dat ....... move them to a new folder on your desktop.

Now run ATF cleaner again, making sure to empty the Temp folders. Reboot

Start BITS again when you logon and let me know what happens.

I'd like for you to upload those qmgr*.dat files to my submission channel please. Leave a link back to this topic.

Thanks!
Click to expand...

Dave - Nuke works for me ! Do you want your quote above pasted in the run dialog box or open the cmd prompt and then paste? Also, I have BITS set to disable and stop presently...I will change to manual and stop before I go with your command. It looks like AVG is blocking these inbound attempts, would you agree with that? Also this morning using Counterspy - it picked up an entry in the registry "HKEY_USERS\S-1-5-21......\SOFTWARE\WGET" that it said was Bifrost trojan. I deleted the key. I know that WGET is a free software program that implements simple and powerful content retrieval from web servers. I ran several scans with different programs and picked up nothing after I deleted that registry key, which was empty by the way. I will not be able to get on the computer with the problems until tonight or probably tomorrow morning. I will advice when I do and submit the results of the gmg*.dat files.

Thanks for your help.

noahdfear · 2007/12/17

Run dialog box is fine, and there's no need to change BITS from disabled to manual prior to moving the files. The key is that BITS is not running.

rmon123 · 2007/12/18

Dave I think you discovered the trick to my problem! I ran the command to clear bitadmin and saved the 2 dat files that they created. I have had an internet connection for 47 minutes now (after I ran the command) with BITS started and on manual. NO MORE BITS temp files as of yet (prior to this I would have had about 150 of them in that amount of time). I reran bitsadmin.exe and below is the new log file it created:

BITSADMIN version 2.0 [ 6.6.2600.2180 ]
BITS administration utility.
(C) Copyright 2000-2004 Microsoft Corp.

Listed 0 job(s).

134KB a far cry from over 6MB yesterday when I ran it and could not post due to its size.

I will submit the 2 dat files you requested but they are about 6MB a piece.

I will monitor for a few days and let you know. What do you think I should run to make sure this machine is really, really clean?

I have seen a lot of different forums, etc. where the user is asking about BITS.tmp files and the user never received a good answer. Just advice to run this program or that but no ending with it resolved. Thanks for sticking with it...seems like you are now the BITS.tmp file expert!! The Windows XP Support Tools really helped along with bitsadmin.exe.

Please give me your advice on what to run to make sure this machine is clean again.

APPRECIATE it a lot.

Ric

Log in or Sign up

BITS and Malware Removal Problems

rmon123 Inactive Thread Starter

PeteC SuperGeek Staff

rmon123 Inactive Thread Starter

rmon123 Inactive Thread Starter

rmon123 Inactive Thread Starter

PeteC SuperGeek Staff

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

Share This Page

Log in or Sign up

BITS and Malware Removal Problems

rmon123 Inactive Thread Starter

PeteC SuperGeek Staff

rmon123 Inactive Thread Starter

rmon123 Inactive Thread Starter

rmon123 Inactive Thread Starter

PeteC SuperGeek Staff

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

noahdfear Inactive

rmon123 Inactive Thread Starter

Share This Page

Useful Searches