Hi Bjorn,
I ran those scans you said to do. And yes, I use CA. I had removed Nortons previously.
Hijack this scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:29 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Common Files\AOL\1222161865\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\PROGRA~1\AOL9~1.1\waol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\microsoft.net\framework\v1.1.4322\csc.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://google.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1222161865\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AOL9~1.1\AOL.EXE" -b
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone:
http://*.trymedia.com (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
http://www.musicnotes.com/download/mnviewer.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resour ... se6662.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 0434915968O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 0690068755O18 - Filter hijack: text/html - {1af2f3b9-95a4-4245-9753-67319d5c35d6} - C:\WINDOWS\system32\msziptools.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: swapdm - C:\WINDOWS\SYSTEM32\swapdm.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) -
https://www.blockbuster.com/app/v.4.208 ... bgTile.pngO24 - Desktop Component 1: (no name) -
http://www.myfamily.com/exec/c/content/ ... /CHASE.jpg--
End of file - 10755 bytes
Haxfix log:
HAXFIX logfile - by Marckie
version 5.057
Fri 01/16/2009 18:30:54.42
running from C:\HaxFix
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
matching notify keys found
AtiE
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
--- Checking for Goldun - Spybanker ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
swapdm
checking for services
swapm
checking for random used files and services
these files are not necessarily malicious
C:\Documents and Settings\All Users\Documents\My Videos\Thumbs.db
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalps.dll
C:\Program Files\InterVideo\WinDVD\Html\FRC\InterVideo.html
C:\Program Files\Microsoft Office\OFFICE11\VS Runtime\1033\compsvcspkgui.dll
C:\Program Files\Microsoft Office\Office12\1033\PROTTPLN.XLS
C:\Program Files\Microsoft Office\Office12\1033\PROTTPLV.XLS
C:\Program Files\Microsoft Office\Office12\1033\QuickStyles\Traditional.dotx
C:\Program Files\Microsoft Works\1033\WkAbiLng.dll
C:\Program Files\Microsoft Works\1033\Wizards\inspuus.wwp
C:\Program Files\Microsoft Works\1033\Wizards\notrnus.wwp
C:\Program Files\Microsoft Works\1033\Wizards\nottsus.wwp
C:\Program Files\Microsoft Works\1033\Wizards\schbrus.wwp
C:\Program Files\Microsoft Works\1033\Wizards\schesus.wwp
C:\Program Files\WildTangent\Apps\GameChannel\Games\3320769C-062B-4670-BD6B-AA4B3D0E9903\ITEMS\mace1.MDL
C:\Program Files\WildTangent\Apps\GameChannel\Games\413773DA-62DE-4C4C-A0F9-10EFB9317DE5\audiovo\vo_miscother1.ogg
C:\Program Files\WildTangent\Apps\GameChannel\Games\413773DA-62DE-4C4C-A0F9-10EFB9317DE5\audiovo\vo_notspacebar1.ogg
C:\Program Files\WildTangent\Apps\GameChannel\Games\B2AA88B1-4920-462B-9F7C-019782B3C4DB\wire\images\product_logo.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Games\E44A47AF-C94B-4E3F-81A0-979FBA9DAC57\images\cp_vixx_powerup1.gif
C:\WINDOWS\$NtServicePackUninstall$\batt.dll
C:\WINDOWS\$NtServicePackUninstall$\dciman32.dll
C:\WINDOWS\$NtServicePackUninstall$\fxsperf.dll
C:\WINDOWS\$NtServicePackUninstall$\snmptrap.exe
C:\WINDOWS\Fonts\ega40857.fon
C:\WINDOWS\Fonts\modern.fon
C:\WINDOWS\I386\INPUT.IN_
C:\WINDOWS\inf\netdf650.PNF
C:\WINDOWS\inf\mtxvideo.PNF
C:\WINDOWS\system32\batt.dll
C:\WINDOWS\system32\dciman32.dll
C:\WINDOWS\system32\eventvwr.exe
C:\WINDOWS\system32\fxsperf.dll
C:\WINDOWS\system32\igdetect.dll
C:\WINDOWS\system32\uwdf.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\migregdb.exe
C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.inf
C:\WINDOWS\assembly\GAC\Accessibility\1.0.3300.0__b03f5f7f11d50a3a\Accessibility.dll
C:\WINDOWS\assembly\GAC\RegCode.resources\1.0.3300.0_zh-CHT_b03f5f7f11d50a3a\RegCode.Resources.dll
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Accessibility.dll
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscortim.dll
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\zh-CHT\Regasm.resources.dll
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\zh-CHT\RegCode.Resources.dll
C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
C:\WINDOWS\ServicePackFiles\i386\batt.dll
C:\WINDOWS\ServicePackFiles\i386\dciman32.dll
C:\WINDOWS\ServicePackFiles\i386\fxsperf.dll
C:\WINDOWS\ServicePackFiles\i386\mscortim.dll
C:\WINDOWS\ServicePackFiles\i386\snmptrap.exe
C:\WINDOWS\ServicePackFiles\i386\tty.dll
C:\WINDOWS\system32\dllcache\eventvwr.exe
C:\WINDOWS\system32\dllcache\infoctrs.dll
C:\WINDOWS\system32\dllcache\modern.fon
C:\WINDOWS\system32\en-us\icardie.dll.mui
no matching services found
checking for browser helper objects
no known browser helper objects found
checking for appinit files
no files found
checking for possible infected files
please submit these file here:
http://www.bleepingcomputer.com/submit- ... channel=11no files found
checking for Active Setup Installed Components
no known Active Setup Installed Components found
checking iexplore.exe
iexplore.exe is not infected
--- Checking for other Goldun, Spybanker and Haxdoor files ---
C:\WINDOWS\system32\swapm.sys
--- Catchme logfile - thank you Gmer ---
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-16 20:55:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
"StartTimeLo"=dword:15fe76f2
"StartTimeHi"=dword:01c97830
"EndTimeLo"=dword:15fe76f2
"EndTimeHi"=dword:01c97830
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2578903513-2405492841-3782243986-1008\Extension-List\{00000000-0000-0000-0000-000000000000}]
"StartTimeLo"=dword:1600d94c
"StartTimeHi"=dword:01c97830
"EndTimeLo"=dword:1600d94c
"EndTimeHi"=dword:01c97830
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3E5CE55715DFdb645AF7A7D265BF0F16\Usage]
"AiOMM"=dword:3a300217
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5F5E2C4F07924f54BA3D1C084C9D164C\Usage]
"statusexe"=dword:3a3003cc
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040211900063D11C8EF10054038389C\Usage]
"HandWritingFiles"=dword:3a30111b
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A7B226B5BF0603641BD11F122DB0CC6D\Usage]
"MarketResearch"=dword:3a300159
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\ACFAB0C38BDBB2948854CDA0B4C48132\Usage]
"SolCntrFiles"=dword:3a3001fe
"Status"=dword:3a30047d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAECDAC2AD5D6D445BCFD7EE78BAC3C0\Usage]
"Unload"=dword:3a300bfe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000099
"TracesSuccessful"=dword:00000098
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Deskjet 5400 Series]
"ChangeID"=dword:00018121
"Attributes"=dword:00000e00
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
--- Analysing Catchme logfile ---
no matching regkeys found
Finished!