I'm sorry it took so long to get back.
Here's a current HiJack This:
Logfile of HijackThis v1.99.1
Scan saved at 6:47:26 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\mEvans\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://centurytel.myway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program
Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet
Explorer provided by CenturyTel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= local;localhost
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration
Class) - http://support.charter.com/sdccommon/do ... gctlcm.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner
3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -
http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
- http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control
Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_42.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -
https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4A769165-055C-4566-ABBB-3EA82DD4F8AE} (IVSLite.FastViewer) -
http://ipinviewer.lunarpages.com/bin/IVSLite.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... web_site.c
ab?1121448280515
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control)
- http://66.250.123.194/wg_webeye.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -
https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) -
http://www.bravetree.com/downloader/BTDownloadCtrl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abacast.com/download/fi ... tup144.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) -
http://photos.msn.com/resources/neutral ... 10,0,910,0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program
Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
I would like to get rid of the two items I told you the F-Secure scan found {(C:\Documents and Settings\Owner\Local Settings\TEMPMBROIT.EXE)and (C:\Program Files\Common Files\System\svchost.exe)}. Oddly, both of these have icons featuring a horse (trojan?) on the computer screen. Properties show them both to have been created Dec. 15, 2007. Is it safe to just delete them, or can you guide me please?
I used VIRUS TOTAL to check them, and here are the results.
* C:\Documents and Settings\Owner\Local Settings\TEMPMBROIT.EXE
VIRUS TOTAL
File Tempmbroit.exe received on 01.20.2008 01:12:01 (CET)
Current status: finished
Result: 8/32 (25%)
Antivirus Version Last Update Result
AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 TR/FWDisable.40676
Authentium 4.93.8 2008.01.19 -
Avast 4.7.1098.0 2008.01.19 -
AVG 7.5.0.516 2008.01.19 -
BitDefender 7.2 2008.01.20 BehavesLike:Trojan.WUDisable
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.19 -
DrWeb 4.44.0.09170 2008.01.19 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.19 -
FileAdvisor 1 2008.01.20 -
Fortinet 3.14.0.0 2008.01.19 -
F-Prot 4.4.2.54 2008.01.19 -
F-Secure 6.70.13260.0 2008.01.19 Malware.BJGH
Ikarus T3.1.1.20 2008.01.19 BehavesLike.Trojan.WUDisable
Kaspersky 7.0.0.125 2008.01.20 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 -
NOD32v2 2807 2008.01.19 -
Norman 5.80.02 2008.01.18 Malware.BJGH
Panda 9.0.0.4 2008.01.19 -
Prevx1 V2 2008.01.20 Trojan.Gorhax
Rising 20.27.50.00 2008.01.19 -
Sophos 4.24.0 2008.01.19 -
Sunbelt 2.2.907.0 2008.01.17 Trojan.WUDisable
Symantec 10 2008.01.19 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.19 -
Webwasher-Gateway 6.6.2 2008.01.18 Trojan.FWDisable.40676
Additional information
File size: 40676 bytes
MD5: e3e57623835c4e44cc98a79683d94c60
SHA1: 0bcc6e615da156b291dda225732803de8a553024
PEiD: -
Prevx info:
http://info.prevx.com/aboutprogramtext. ... 00815F39EA
003AC133C7
* C:\Program Files\Common Files\System\svchost.exe
VIRUS TOTAL
File svchost.exe received on 01.20.2008 00:33:17 (CET)
Current status: finished
Result: 2/32 (6.25%)
Antivirus Version Last Update Result
AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.19 -
Avast 4.7.1098.0 2008.01.19 -
AVG 7.5.0.516 2008.01.19 -
BitDefender 7.2 2008.01.20 -
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.19 -
DrWeb 4.44.0.09170 2008.01.19 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.19 -
FileAdvisor 1 2008.01.20 -
Fortinet 3.14.0.0 2008.01.19 -
F-Prot 4.4.2.54 2008.01.19 -
F-Secure 6.70.13260.0 2008.01.19 Malware.BJCW
Ikarus T3.1.1.20 2008.01.19 -
Kaspersky 7.0.0.125 2008.01.20 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 -
NOD32v2 2807 2008.01.19 -
Norman 5.80.02 2008.01.18 Malware.BJCW
Panda 9.0.0.4 2008.01.19 -
Prevx1 V2 2008.01.20 -
Rising 20.27.50.00 2008.01.19 -
Sophos 4.24.0 2008.01.19 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.19 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.19 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 185303 bytes
MD5: 3a596e4b011e7da1e61d5ec9c22a1706
SHA1: 51803984be0ac80bf447595e75edaa95b63e81e3
PEiD: -
We are also a bit suspicious of these two. Having reasearched a little, it looks like
svchost.exe should only be within c:\WINDOWS\System32 or C:\WinNT\System32.
* C:\WINDOWS\ServicePackFiles\i386\svchost.exe
File svchost.exe received on 01.20.2008 01:31:32 (CET)
Current status: finished
Result: 0/32 (0%)
* C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
File svchost.exe received on 01.20.2008 01:23:04 (CET)
Current status: finished
Result: 0/32 (0%)
Thanks again!
Heydaze