Solved sfhgj.exe worm

[Resolved]sfhgj.exe worm

Sorry for the trouble, but I've just got an MSN worm called sfhgj.exe, which is apparently a variant of rpmsvc.exe and other earlier samples. On the registry key it seems to have disguised itself as "Audio Device Manager "

I have information on removing it from http://www.cisrt.org/enblog/read.php?178&guid=3. As mentioned above it seems to have disguised itself as "Audio Device Manager" at the same location as its variant. However I do not know where the exact location of the file(s) is. What I have found is a .pf file of it in WINDOWS\Prefetch . I was told by my friend, who has got the file/worm from me (but I am not sure whether he is infected from it or not), that I should not take actions yet and ask for help on this forum first. It would be grateful if one can give me advice on what to do on this particular situation.

 

Hi ql213
Welcome to Windowsbbs.

Lets run a tool so we can get a better look at things.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.

Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt only for now.

Thanks
Geri

 

sfhgj.exe

I was advised to delete the registry key of sfhgj.exe from my friend last night, otherwise I have not taken actions before the reply.

main.txt file created from dss.exe is as followed:

 

Hi ql213

Enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\sfhgj.exe

After that, Reboot.

Go back to the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading unselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  Post the contents of the ActiveScan report

Post the Panda scan report and a new HJT log.

Thanks
Geri

 

Even with operating system files showing up, I cannot locate sfhgj.exe on C:\WINDOWS\. Shall I clear away the other spywares and cookies meanwhile?

 

Hi ql213

Yeah, Go ahead with clearing the cookies. Here is a good program for cleaning cookies and other internet junk. make sure you select cookies on that list.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Lets try this with the files.

Download
OTMoveIt by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Please post the contents of C:\_OTMoveIt\MovedFiles

Thanks
Geri

 

There is no sign of sfhgj.exe around, and I have not seen any activities from it after the 2nd post. It looks like that it has been silenced one way or the other.

 

Hi ql213
OK

Please post a new dss log. I like to see if that file still shows up there.

Thanks
Geri

 

moderator note: I removed the quote tags ...... makes it harder to read the log
noahdfear

Here we are:

Deckard's System Scanner v20071014.68
Run by Quentin on 2007-11-10 19:06:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).


-- HijackThis (run as Quentin.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:50, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Elantech\ktp3.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Quentin\My Documents\My Completed Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Quentin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\SPEEDB~1\proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp3.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe "
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191440144572
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9779 bytes

-- Files created between 2007-10-10 and 2007-11-10 -----------------------------

2007-11-08 18:51:06 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-07 23:57:36 0 d-------- C:\Documents and Settings\Quentin\Application Data\AVG7
2007-11-07 23:57:11 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2007-11-07 23:56:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 23:56:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-07 13:43:37 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-05 23:26:23 3426336 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-05 22:55:51 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-05 22:55:44 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-05 22:55:34 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-11-05 22:55:04 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-05 22:54:17 0 d-------- C:\WINDOWS\Internet Logs
2007-11-01 23:29:37 555 --a------ C:\WINDOWS\eReg.dat
2007-11-01 22:51:59 0 d-------- C:\Program Files\EA GAMES
2007-10-24 12:23:25 0 d-------- C:\Documents and Settings\Quentin\Application Data\Printer Info Cache
2007-10-24 12:23:24 0 d-------- C:\Documents and Settings\Quentin\Application Data\Image Zone Express
2007-10-24 09:48:12 61440 --a------ C:\WINDOWS\system32\IFORCE2.dll <Not Verified; Immersion Corporation; Immersion Corporation IFORCE2>
2007-10-24 09:48:01 216 --a------ C:\WINDOWS\PowerReg.dat
2007-10-24 09:46:43 0 d-------- C:\MicroProse
2007-10-24 09:38:11 0 d-------- C:\Program Files\DAEMON Tools
2007-10-24 09:30:54 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-23 22:43:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-10-23 22:43:36 0 d-------- C:\Documents and Settings\Quentin\Application Data\Azureus
2007-10-23 22:27:44 0 d-------- C:\Program Files\Azureus
2007-10-23 22:27:16 0 d-------- C:\WINDOWS\Sun
2007-10-23 22:27:16 0 d-------- C:\Documents and Settings\Quentin\Application Data\Sun
2007-10-23 22:26:25 0 d-------- C:\Program Files\Java
2007-10-23 22:24:53 0 d-------- C:\Program Files\Common Files\Java
2007-10-23 22:16:54 0 d-------- C:\Program Files\PeerGuardian2
2007-10-22 21:13:16 0 d-------- C:\Program Files\Call of Duty
2007-10-22 01:33:00 0 d--h----- C:\WINDOWS\PIF
2007-10-17 23:13:03 0 d-------- C:\Program Files\Lavasoft
2007-10-17 23:13:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 23:52:12 0 d-------- C:\Program Files\csoft
2007-10-14 22:26:57 0 d-------- C:\Program Files\VirtuallTek
2007-10-14 01:18:56 0 d-------- C:\Documents and Settings\Quentin\Application Data\Ventrilo
2007-10-14 01:18:43 0 d-------- C:\Program Files\Ventrilo
2007-10-14 01:18:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-13 22:28:38 0 d-------- C:\Program Files\Guild Wars
2007-10-13 18:18:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-13 18:18:20 1024000 --a------ C:\WINDOWS\system32\3ivx.dll <Not Verified; 3ivx.com; 3ivx D4 4.5.1 Pro>
2007-10-13 18:18:19 1415680 --a------ C:\WINDOWS\system32\WMV9VCM.dll <Not Verified; Microsoft Corporation; Windows Media Video 9 VCM>
2007-10-13 18:18:18 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-10-13 18:18:16 0 d-------- C:\Documents and Settings\Quentin\Application Data\Real
2007-10-13 14:55:48 0 d-------- C:\Program Files\DivX
2007-10-13 14:54:18 0 d-------- C:\Documents and Settings\Quentin\Application Data\Adobe
2007-10-13 00:34:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-10-13 00:34:13 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-12 16:13:12 0 d-------- C:\Documents and Settings\Quentin\Contacts
2007-10-12 16:12:34 0 d-------- C:\Program Files\MSN Messenger
2007-10-12 16:03:37 0 d-------- C:\Documents and Settings\Quentin\Application Data\HP
2007-10-12 16:03:23 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-10-12 16:02:29 0 d-------- C:\Program Files\Common Files\HP
2007-10-12 16:01:15 0 d-------- C:\Program Files\Hewlett-Packard
2007-10-12 16:00:54 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-10-12 15:59:49 73728 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2007-10-12 15:59:04 0 d-------- C:\Program Files\HP
2007-10-12 15:53:07 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2007-10-12 15:50:04 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-12 15:49:57 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-10-12 15:49:56 0 d-------- C:\Program Files\DAP
2007-10-12 15:41:49 117922 --a------ C:\WINDOWS\hpoins11.dat
2007-10-12 15:35:17 0 d-------- C:\Documents and Settings\Quentin\Application Data\Google
2007-10-12 15:32:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-10-12 15:32:33 0 d-------- C:\Program Files\Google
2007-10-12 15:32:32 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-10-12 15:28:42 0 d-------- C:\WINDOWS\network diagnostic
2007-10-11 22:55:29 0 d-------- C:\Documents and Settings\Quentin\Application Data\Help
2007-10-11 22:36:59 0 d-------- C:\Documents and Settings\Quentin\Application Data\Media Player Classic
2007-10-11 14:51:52 0 d-------- C:\Documents and Settings\Quentin\Application Data\DivX


-- Find3M Report ---------------------------------------------------------------

2007-11-10 19:02:24 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-07 14:27:33 0 d-------- C:\Program Files\Elantech
2007-11-05 20:03:46 0 d-------- C:\Program Files\Trend Micro
2007-11-04 03:27:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-23 22:24:53 0 d-------- C:\Program Files\Common Files
2007-10-13 18:18:20 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-10-08 19:16:06 0 d-------- C:\Program Files\Microsoft Works
2007-10-08 19:09:14 0 d-------- C:\Documents and Settings\Quentin\Application Data\Macromedia
2007-10-08 19:08:49 0 d-------- C:\Documents and Settings\Quentin\Application Data\Mozilla
2007-10-08 18:56:19 0 d-------- C:\Program Files\Common Files\L&H
2007-10-08 18:55:57 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-08 18:50:39 0 d-------- C:\Program Files\Microsoft.NET
2007-10-08 18:43:03 0 d-------- C:\Documents and Settings\Quentin\Application Data\Bitdefender
2007-10-03 21:16:44 1156 --a------ C:\WINDOWS\mozver.dat
2007-10-03 21:03:50 0 d-------- C:\Program Files\NetMeter
2007-10-03 20:31:26 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-03 20:05:26 0 d-------- C:\Program Files\MSXML 4.0
2007-10-03 20:03:25 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-03 19:54:39 0 d-------- C:\Program Files\Messenger
2007-10-03 19:33:54 0 d-------- C:\Documents and Settings\Quentin\Application Data\Intel
2007-10-03 18:18:37 0 d-------- C:\Program Files\Movie Maker
2007-10-03 18:16:58 0 d-------- C:\Program Files\Windows NT
2007-10-03 05:43:07 0 d-------- C:\Program Files\InterVideo
2007-10-03 05:41:44 0 d-------- C:\Program Files\Intel
2007-10-02 21:07:41 0 d-------- C:\Program Files\DIFX


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG "= "AGRSMMSG.exe" [23/09/2003 16:06 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan "= "SOUNDMAN.EXE" [19/12/2003 09:53 C:\WINDOWS\SOUNDMAN.EXE]
"ATIModeChange "= "Ati2mdxx.exe" [04/09/2001 08:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [12/12/2003 19:31]
"KTPWare "= "C:\Program Files\Elantech\ktp3.exe" [27/11/2003 10:33]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [18/10/2006 17:04]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [18/10/2006 16:58]
"BDMCon "= "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [02/04/2007 15:48]
"BDAgent "= "C:\Program Files\Softwin\BitDefender10\bdagent.exe" [26/03/2007 14:49]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 21:32]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 21:31]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 21:32]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 21:32]
"DownloadAccelerator "= "C:\Program Files\DAP\DAP.exe" [12/10/2007 15:49]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [08/05/2007 15:24]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 19:51]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"SpeedBitVideoAccelerator "= "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [02/11/2007 11:38]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/09/2007 16:14]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07/11/2007 23:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 23:56]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/10/2007 15:35]
"DAEMON Tools "= "C:\Program Files\DAEMON Tools\daemon.exe" [18/09/2007 14:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [19/02/2006 03:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "




-- End of Deckard's System Scanner: finished at 2007-11-10 19:10:11 ------------



I cannot see it anymore.

 

Hi ql213
OK, It's not showing in the dss log either.

Open OTMoveIt and click the clean up button, this will remove dss and OTMoveIt and logs created.

Run another Panda scan to make sure you come up clean besides cookies, If clean there's no need to post the results.

Let me know either way. and if things are running OK.
Thanks
Geri

 

Panda has found no more traits of it on the second scan. Looks like that I'm good to go now.

Anyway, thanks a bunch Geri!

 

Hi ql213
OK Good to hear.

Here are a couple things to do and look over.

This would be a good time to set a new system restore point for your machine.
Set New System Restore Point Windows XP. - Set New System Restore Point Windows Vista
Do not do this unless there are no other user accounts to be diagnosed.

If there are any other user accounts on this machine, they too, must be cleaned with AdAware and Spybot S&D. Not all infections are global, nor are all fixes global.
Log onto that user account, Run HJT and save log, post each user account here into this thread, but please, do only one at a time to avoid confusion. Please let us know that it is a different account.


Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forms.
http://www.windowsbbs.com/showthread.php?t=67958

I will mark this thread resolved.
Surf Safely
Geri