• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Dabzarch

REG/Zapchast Trojan -

10 posts in this topic

Hi,

 

Im in a bit of bother with the above Trojan, i have NOD32 popping up each time i start my computer alerting me that i have this trojan attached to C:\a.bat.. I cannot see this file any where in the C: directory also mentions something about pebjuh.exe.....Cannot seem to find this either.

 

If any one can help that would be great. Cheers

 

 

Logfile of HijackThis v1.99.1

Scan saved at 09:22:59, on 07/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\hphmon06.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\pebjuh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HPQ\shared\hpqwmi.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\Rar$EX00.297\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB004" /M "Stylus Photo R320"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe

O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Microsoft Update Machine] pebjuh.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] pebjuh.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://213.190.145.76/MapControl/Download/mgaxctrl.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146829505906

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Share this post


Link to post
Share on other sites

I Ran SDFix to have a gander...here is the report attached. Also updated HijackThis Report

 

SDFix: Version 1.86

 

Run by Rob- 07/06/2007 - 10:55:57.17

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

 

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

Checking if ADS is attached to ntoskrnl.exe

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"

"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\Program Files\\@Last Software\\SketchUp 5\\SketchUp.exe"="C:\\Program Files\\@Last Software\\SketchUp 5\\SketchUp.exe:*:Enabled:SketchUp Application"

"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Next Limit\\Maxwell\\mxcl.exe"="C:\\Program Files\\Next Limit\\Maxwell\\mxcl.exe:*:Enabled:mxcl"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"="C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe:*:Disabled:SketchUp Application"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\WINDOWS\\system32\\pebjuh.exe"="C:\\WINDOWS\\system32\\pebjuh.exe:*:Disabled:pebjuh"

"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:utorrent"

"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

Remaining Files:

---------------

 

 

Listing Files with Hidden Attributes:

 

C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll

C:\Program Files\Graphisoft\ArchiCAD 11\wkwin32.DLL

C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe

C:\WINDOWS\system32\pebjuh.exe

 

Listing User Accounts:

 

User accounts for \\LAPTOP03

 

Administrator ASPNET Guest

HelpAssistant Rob SUPPORT_388945a0

 

 

Finished

 

------------------------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 11:18:50, on 07/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\hphmon06.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HPQ\shared\hpqwmi.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\Rar$EX00.875\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB004" /M "Stylus Photo R320"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe

O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://213.190.145.76/MapControl/Download/mgaxctrl.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146829505906

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

You did good, now I would like to see the results of this scan.

 

Download this file - combofix.exe

 

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

 

"%userprofile%\desktop\combofix.exe"

 

Boot into safe mode by tapping the F8 key just before Windows starts to load.

 

go to start --> run and copy/paste in the following:

 

"%userprofile%\desktop\combofix.exe"

 

When finished, it shall produce a log for you. Save it and post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

In your next post, please include

  • new hijackthis log
  • combofix log

*use separate posts to ensure the logs don't get cut off!

 

Let me know what problem remains.

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for your help.....Ii think its still there just disabled?? Every thing seems fine but im not sure!

 

 

ComboFix 07-06-13.3 - C:\Documents and Settings\Robert White\desktop\combofix.exe

"Robert White" - 2007-06-13 12:59:19 - Service Pack 2 NTFS [sAFE MODE]

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\install.log

 

 

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

 

 

2007-06-13 12:52 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-13 09:43 <DIR> d-------- C:\Program Files\Luxology

2007-06-12 15:55 63,924 --ah----- C:\WINDOWS\system32\mlfcache.dat

2007-06-12 12:30 <DIR> d-------- C:\Program Files\Safari

2007-06-12 12:30 <DIR> d-------- C:\Program Files\Bonjour

2007-06-12 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

2007-06-11 11:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-06-11 11:02 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Sammsoft

2007-06-11 09:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-06-08 15:23 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

2007-06-07 22:05 <DIR> d-------- C:\WINDOWS\system32\Viewers

2007-06-07 22:03 <DIR> d-------- C:\WINDOWS\ShellNew

2007-06-07 22:03 <DIR> d-------- C:\Program Files\Snapshot Viewer

2007-06-07 22:01 <DIR> d-------- C:\WINDOWS\Twain32

2007-06-07 22:01 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Microsoft Web Folders

2007-06-07 14:20 1,165 --a------ C:\WINDOWS\mozver.dat

2007-06-07 13:08 <DIR> d-------- C:\Program Files\InterMute

2007-06-07 10:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-06-07 10:24 <DIR> d-------- C:\Program Files\Lavasoft

2007-06-07 10:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-07 10:07 <DIR> d-------- C:\ie-spyad

2007-06-07 10:06 0 --a------ C:\WINDOWS\nsreg.dat

2007-06-07 09:49 <DIR> d-------- C:\Program Files\SpywareBlaster

2007-06-07 09:48 75,512 --a------ C:\WINDOWS\zllsputility.exe

2007-06-07 09:48 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-06-07 09:47 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll

2007-06-07 09:47 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs

2007-06-07 09:47 <DIR> d-------- C:\WINDOWS\Internet Logs

2007-06-07 00:14 90,112 --a------ C:\WINDOWS\unvise32.exe

2007-06-07 00:10 <DIR> d-------- C:\Program Files\Artlantis

2007-06-06 21:01 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Abvent

2007-06-06 21:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Abvent

2007-06-06 20:55 <DIR> d-------- C:\Program Files\Artlantis Studio

2007-06-06 18:02 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2007-06-06 16:46 <DIR> d-------- C:\Program Files\uTorrent

2007-06-06 16:46 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\uTorrent

2007-06-05 16:21 <DIR> d-------- C:\DOCUME~1\ROBERT~1\Graphisoft

2007-06-05 16:21 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Graphisoft

2007-06-05 16:14 72,704 --a------ C:\WINDOWS\system32\drivers\WibuKey.sys

2007-06-05 16:14 57,552 --a------ C:\WINDOWS\system32\WkDos.exe

2007-06-05 16:14 516,096 --a------ C:\WINDOWS\system32\WibuXpm4J32.dll

2007-06-05 16:14 479,232 --a------ C:\WINDOWS\system32\wibuKJni.dll

2007-06-05 16:14 348,160 --a------ C:\WINDOWS\system32\WkExt32.dll

2007-06-05 16:14 16,384 --a------ C:\WINDOWS\system32\drivers\Wibukey2.sys

2007-06-05 16:14 159,744 --a------ C:\WINDOWS\system32\WkWin32.dll

2007-06-05 16:14 <DIR> d-------- C:\Program Files\WIBUKEY

2007-06-05 16:14 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS

2007-06-05 16:12 <DIR> d-------- C:\Program Files\Graphisoft

2007-06-05 15:57 <DIR> d-------- C:\Program Files\BitLord

2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys

2007-06-01 12:29 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

2007-05-29 14:41 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Luxology

2007-05-16 21:54 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-12 11:34:12 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Apple Computer

2007-06-12 11:30:28 -------- d-----w C:\Program Files\Apple Software Update

2007-06-07 10:42:34 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Lavasoft

2007-06-06 17:08:35 -------- d-----w C:\Program Files\Google

2007-06-06 14:59:14 -------- d-----w C:\Program Files\Hp

2007-05-30 09:50:21 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\U3

2007-05-29 13:50:40 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-05 17:38:28 -------- d-----w C:\Program Files\iTunes

2007-05-05 17:38:15 -------- d-----w C:\Program Files\iPod

2007-05-05 12:38:59 -------- d-----w C:\Program Files\QuickTime

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-13 14:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-03-21 20:51:11 298,104 ----a-w C:\WINDOWS\system32\imon.dll

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2004-08-04 12:00:00 2,495,488 --sh--r C:\WINDOWS\system32\pebjuh.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-05 14:52]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24]

"hpWirelessAssistant"="%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" []

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 14:54]

"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]

"HPHUPD06"="C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 06:09]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-21 21:51]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-11 11:58]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"RegistryMechanic"="" []

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robert White^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=C:\Documents and Settings\Robert White\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robert White^Start Menu^Programs^Startup^Vitrite.lnk]

path=C:\Documents and Settings\Robert White\Start Menu\Programs\Startup\Vitrite.lnk

backup=C:\WINDOWS\pss\Vitrite.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ireland.com email alert]

C:\Program Files\email alert\ireland\irealert.exe -auto

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]

pebjuh.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b8b4ca8-1ff3-11db-8d87-00c09fad92cb}]

AutoRun\command- E:\LaunchU3.exe

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-12 11:30:31 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-13 13:04:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?0?0?7??`???? ?,?B?????????????hLC? ??????

 

scanning hidden files ...

 

**************************************************************************

 

Completion time: 2007-06-13 13:05:17

C:\ComboFix-quarantined-files.txt ... 2007-06-13 13:04

 

--- E O F ---

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\install.log

 

 

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

 

 

No new files created in this timespan

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-12 11:34:12 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Apple Computer

2007-06-12 11:30:28 -------- d-----w C:\Program Files\Apple Software Update

2007-06-07 10:42:34 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Lavasoft

2007-06-06 17:08:35 -------- d-----w C:\Program Files\Google

2007-06-06 14:59:14 -------- d-----w C:\Program Files\Hp

2007-05-30 09:50:21 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\U3

2007-05-29 13:50:40 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-05 17:38:28 -------- d-----w C:\Program Files\iTunes

2007-05-05 17:38:15 -------- d-----w C:\Program Files\iPod

2007-05-05 12:38:59 -------- d-----w C:\Program Files\QuickTime

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-13 14:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-03-21 20:51:11 298,104 ----a-w C:\WINDOWS\system32\imon.dll

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2004-08-04 12:00:00 2,495,488 --sh--r C:\WINDOWS\system32\pebjuh.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-05 14:52]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24]

"hpWirelessAssistant"="%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" []

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 14:54]

"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]

"HPHUPD06"="C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 06:09]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-21 21:51]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-11 11:58]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"RegistryMechanic"="" []

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robert White^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=C:\Documents and Settings\Robert White\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robert White^Start Menu^Programs^Startup^Vitrite.lnk]

path=C:\Documents and Settings\Robert White\Start Menu\Programs\Startup\Vitrite.lnk

backup=C:\WINDOWS\pss\Vitrite.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ireland.com email alert]

C:\Program Files\email alert\ireland\irealert.exe -auto

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]

pebjuh.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b8b4ca8-1ff3-11db-8d87-00c09fad92cb}]

AutoRun\command- E:\LaunchU3.exe

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-12 11:30:31 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-13 13:08:25

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?0?0?7??????? ?,?B?????????????hLC? ??????

 

scanning hidden files ...

 

**************************************************************************

 

Completion time: 2007-06-13 13:09:12

C:\ComboFix-quarantined-files.txt ... 2007-06-13 13:09

 

--- E O F ---

 

C:\ComboFix-quarantined-files.txt

 

2006-03-27 23:09	  1120	--a------	C:\Qoobox\Quarantine\C\INSTALL.LOG.vir


Folder PATH listing
Volume serial number is 008B-73EB
C:\QOOBOX
\---Quarantine
+---C
|	   INSTALL.LOG.vir
|	   
\---Registry_backups

Edited by Dabzarch

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 13:18, on 2007-06-13

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HPQ\shared\hpqwmi.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Safari\Safari.exe

C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\Rar$EX00.328\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB004" /M "Stylus Photo R320"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe

O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://213.190.145.76/MapControl/Download/mgaxctrl.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146829505906

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Your log is clean. Just some clean up to do.

 

; Purpose: Remove traces in the registry.

;

; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.

;

; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]

 

; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

 

  • Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

Delete this file.

 

C:\WINDOWS\system32\pebjuh.exe

 

Restart the computer normally to reset the registry.

 

Let me know what problem remains.

Share this post


Link to post
Share on other sites

Thanks for your help...Every thing seems to be ticking along nicely now. Do you have any idea what this trojan might have been?

 

Cheers

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0