Jump to content


Photo

Home page hijacked to Porno Site


  • Please log in to reply
13 replies to this topic

#1 tranq

tranq

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 18 June 2004 - 10:26 PM

Help. Today I was on a fatwallet.com message board. I clicked on a link to a site that was supposed to give free gmail accounts. I didn't click on anything on that site but nothing has been the same since.

My home page goes to a porno site. I cannot change my home page back because the home page area is greyed out.

Numerous porn pop-ups come up even when I am not logged on to the internet.

I get an error message and the system reboots every 5 to 10 minutes. The error message indicates a problem with the lsass.exe. I have tempoarily stoped this from happening by setting RCP recovery to "take no action"

There is a shortcut on my desktop MOO that I delete but it comes back with each
reboot.


I have donloaded and run Ad-Aware6 SpyBot and CWshredder. I am stilling having the problems.

I ran the scan from HiJackThis

I really appreciate any help you can give me

Here is my scan
Logfile of HijackThis v1.97.7
Scan saved at 10:58:08 PM, on 6/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\System32\lsas.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\kbdest.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ufo365.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ufo365.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufo365.com/first.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ufo365.com/first.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ufo365.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ufo365.com/search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.ufo365.com/first.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/info/e-center-p
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\Utilities\Notebook Utilities\HpTvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [COM+ System Applications] lsas.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\xqldrj.exe
O4 - HKLM\..\Run: [internet.exe] C:/system.hta
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\RunServices: [COM+ System Applications] lsas.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [kbdest] C:\WINDOWS\System32\kbdest.exe
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 21 June 2004 - 12:35 AM

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\lsas.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ufo365.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ufo365.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufo365.com/first.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ufo365.com/first.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ufo365.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ufo365.com/search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.ufo365.com/first.htm

O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [COM+ System Applications] lsas.exe
O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\xqldrj.exe
O4 - HKLM\..\Run: [internet.exe] C:/system.hta
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\RunServices: [COM+ System Applications] lsas.exe
O4 - HKCU\..\Run: [kbdest] C:\WINDOWS\System32\kbdest.exe
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab


Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\lsas.exe
C:\WINDOWS\System32\xqldrj.exe
C:/system.hta
C:\WINDOWS\avserve2.exe
C:\WINDOWS\System32\kbdest.exe
C:\WINDOWS\System32\winupd.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#3 tranq

tranq

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 08:23 AM

Thank you very much for your help. Things are better but I still have some problems. My home page is about blank and I can't change it. I can't log into my e-mail accound. My password seam to have been changed.

I followed your instructions as best I could but there were some things I coulndn't do. In HiHackThis, you said to check
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\lsas.exe
they were in the log but the check list didn't have any running processes so I couldn't check them.
I tried both methods of getting to safemode and I couln't. Nothing happened with F8 and it couldn't find msconfig. (I am running XP 5.1). I deleted the files in normal mode but I couldn't delete lsas.exe winupd. I got an access denied message.

this is my current log.

Logfile of HijackThis v1.97.7
Scan saved at 9:00:03 AM, on 6/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\System32\lsas.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/info/e-center-p
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\Utilities\Notebook Utilities\HpTvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.9\THGuard.exe
O4 - HKLM\..\Run: [COM+ System Applications] lsas.exe
O4 - HKLM\..\RunServices: [COM+ System Applications] lsas.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p

#4 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 21 June 2004 - 01:50 PM

First:
Please copy the text in the box below to Notepad and save it to your desktop as
reginfo.bat.

Regedit /e appinit.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
Start notepad.exe appinit.txt
exit


Double-click on reginfo.bat which will run and open a file in Notepad.

Copy and paste the contents of that entire file in this thread.


Second:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
O4 - HKLM\..\Run: [COM+ System Applications] lsas.exe
O4 - HKLM\..\RunServices: [COM+ System Applications] lsas.exe
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe

Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
(note: if you cannot getinto safe mode, reboot normally and try to delete)
C:\WINDOWS\System32\lsas.exe
C:\WINDOWS\System32\winupd.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#5 tranq

tranq

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 08:35 PM

I need some help completing step one. The directions didn,t say what to call the file in notepad. Nothing happened when I saved as txt. I tried saving it as test.exe. It ran and gave me an error "A temporary file needed for initializatio could not be writen to. Make sure the directory paths exist, and disk space is available." I don't think this is part of my hijack problm but I don't know how to get the info for you. Notepad is in my c:\windows directory and I can run it from there but it doesn't run from the program menu under start.
I still have these problems. My home page is about blank and I can't change it. I can't log into my e-mail accound. My password seams to have been changed. I am checking with my e-mail provider about the e-mail. There seems to be a lot of spam in my mailbox just after the problems started. Then I didn't access my e-mail for 2 days, so maybe I exceeded some mail limit.

I did run HiJackThis. I was able to boot in safe mode (I had to hit F8 very early in the booting process to get it to work). I logged on as admin. I deleted the winuptd file but it still told me that I didn't have access to delete lsass.

Thank you for the help.



The following is the new log.

Logfile of HijackThis v1.97.7
Scan saved at 9:13:58 PM, on 6/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/info/e-center-p
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\Utilities\Notebook Utilities\HpTvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\vaxut.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p

Edited by tranq, 21 June 2004 - 08:37 PM.


#6 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 21 June 2004 - 08:45 PM

Sorry, must have got hacked in copying. I corrected the post. PLease follow previous instructions.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#7 tranq

tranq

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 11:00 PM

Here are the results for reginfo

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

#8 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 21 June 2004 - 11:33 PM

Your log is clean but you mentioned 'About Blank' as a home page. Let's run one more check to see if you are infected with a CWS variant.

Download Beta-Fix.exe from here: http://freeatlast.100free.com/

Double Click on the Beta-Fix.exe and it will install the batch file in its own folder.

Open the Beta-Fix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the Beta-Fix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the Beta-Fix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#9 tranq

tranq

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 08:00 AM

Here is log.txt result

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Tue 06/22/2004
8:35am up 0 days, 0:20
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Locked or 'Suspect' file(s) found...


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
╗╗╗Special 'locked' files scan in 'System32'........

****Filtering files in System32... (-h -s -r...) ***
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
Sniffing..........

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group NOTEBOOK\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NOTEBOOK\Phyllis
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: NOTEBOOK\Phyllis

Primary Group: NOTEBOOK\None



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
8:35am up 0 days, 0:20
Tue 06/22/2004

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-22-2004 winbackup.hiv
File not found - keys1\winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠG



I don't see anyway do an attachment so here is win.txt

regf                                                                                       
                                                                                 
                                                                                 
                                                                                 
                                                                         »ŐśÖ hbin  Ę   nk, 0tčhO┬               ° x      0  , "  Windows ╚■  sk x x    ö     ý
     !
 Ç  !      #
 Ç  #  ?    
     ?   
    ?    
        ě   vk  Ç   f¨AppInit_DLLsÍ?ŠG ░ đ   vk     └UDeviceNotSelectedTimeout­   1 5  ě(═W­   9 0  ! đ   vk  Ç'   zGDIProcessHandleQuota"■Ó   vk  Ç   ░║Spooler2­   y e s └  ░ Ó 0 ` Ę Ó   vk  Ç   =pswapdiskđ   vk     R┐TransmissionRetryTimeoutÓ   ░ Ó 0 ` Ę ╚  đ   vk  Ç'   USERProcessHandleQuotao Ş regf                                                                                       
                                                                                 
                                                                                 
                                                                                 
                                                                         »ŐśÖ hbin  Ę   nk, 0tčhO┬               ° x      0  , "  Windows ╚■  sk x x    ö     ý
     !
 Ç  !      #
 Ç  #  ?    
     ?   
    ?    
        ě   vk  Ç   f¨AppInit_DLLsÍ?ŠG ░ đ   vk     └UDeviceNotSelectedTimeout­   1 5  ě(═W­   9 0  ! đ   vk  Ç'   zGDIProcessHandleQuota"■Ó   vk  Ç   ░║Spooler2­   y e s └  ░ Ó 0 ` Ę Ó   vk  Ç   =pswapdiskđ   vk     R┐TransmissionRetryTimeoutÓ   ░ Ó 0 ` Ę ╚  đ   vk  Ç'   USERProcessHandleQuotao Ş

#10 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 22 June 2004 - 12:51 PM

That log is clean so I am wondered where the About Blank is coming from.

Please run CWS Shredder in Safe Mode and then post a new HiJckThis log in this thread.

Please Download CoolWebShredder, from
http://www.merijn.or.../cwshredder.zip
http://www.zerosreal.../CWShredder.zip

Extract CWShredder to its own folder,

Reboot in Safe Mode*** and run the program.

Be sure all open windows are closed.

Click the 'Fix ->' button.

Make sure you let it fix all CWS Remnants.

Afterwards Reboot.

Then, please Post a fresh Hijack This log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#11 tranq

tranq

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 02:34 PM

CWS said it was clean. under internet options Programs I reset the options to the defaults. My home page is now HP Home. It is still grayed out in options so I can't change it. Outlook is now letting one of my 2 e-mail IDs log in - I think my e-mail provider will solve that problem. Here is my log from HiJackThis
Logfile of HijackThis v1.97.7
Scan saved at 3:19:16 PM, on 6/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/info/e-center-p
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\Utilities\Notebook Utilities\HpTvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\vaxut.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p

#12 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 22 June 2004 - 03:18 PM

We can fix the issue of not being able to change your home page fairly easily in HiJackThis.But you have a more serious problem right now. I see portions of McAfee Av installed, but nothing is running and you have been infected again.

Here are the HJT instructions:

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\vaxut.exe
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\System32\vaxut.exe
C:\WINDOWS\Temp\TPDIR\setup.exe
C:\WINDOWS\System32\winupd.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#13 tranq

tranq

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 05:05 PM

I installed McAfee Av 7.0 from a CD after the problems started. I don't think it ever started running. I am going to try reinstalling it if we ever clear this up.

The C:\WINDOWS\Temp\TPDIR\ was gone after I booted in safe mode. I deleted the other files.

Here is the new log.

Logfile of HijackThis v1.97.7
Scan saved at 5:59:15 PM, on 6/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/info/e-center-p
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\Utilities\Notebook Utilities\HpTvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow for Amazon.com USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p

#14 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 22 June 2004 - 05:52 PM

Looks clean. This entry needs to be removed with HiJackThis:L O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe


It is not running but the registry entry should be deleted.

Check the following item in HiJackTHis;
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe

Close all open windows except HiJackThis and press 'Fix Checked'

Next:
You are running an outdated and therefore unsafe version of Internet Explorer.
You NEED to upgrade to IE 6.0 SP1
http://v4.windowsupd.../en/default.asp

(Make sure you get the correct language version for your operating system! ).

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.
That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploits.


And finally:
Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

2. Download and install the following free programs]
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: http://www.staff.uiu...es/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.

Everyone else having a similar issue, please launch a new topic for yourselves.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button