View Full Version : Trojans, Viruses and Malware I CANNOT get rid of
AURAcatalyst
2007-01-10, 05:41
I've just gotten this computer and accidentally downloaded some infected files, in end, that infected my system. It's been a couple of days now after some basic removal with Norton Internet Security 2006, and Avast... as well as good old Spybot that I found that there is something else wrong. I downloaded HijackThis and read through the log, it seems nothing is wrong with it but I'm not sure... I need help!
Logfile of HijackThis v1.99.1
Scan saved at 11:23:03 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system\hpsysdrv.exe
c:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\drjquxnn.dll",setvm
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C85FFC58-3DB0-4340-9414-69773E487787}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Hi AURAcatalyst
Rename HijackThis.exe to HJT.exe and post a fresh HijackThis log, please :)
AURAcatalyst
2007-01-11, 05:01
Logfile of HijackThis v1.99.1
Scan saved at 10:59:01 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HJT.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F67AA1F-E6F7-43D4-BADD-445EB3EF5A38} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {27B4831E-FA7A-4037-ACD6-8360B135B946} - C:\WINDOWS\system32\vtuvstt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\kywuprgi.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\drjquxnn.dll",setvm
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C85FFC58-3DB0-4340-9414-69773E487787}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: vtuvstt - C:\WINDOWS\SYSTEM32\vtuvstt.dll
O20 - Winlogon Notify: winmmt32 - C:\WINDOWS\SYSTEM32\winmmt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Hi
Follow these (http://forums.spybot.info/showthread.php?t=4394) instructions and post a fresh HijackThis log and c:\vundofix.txt, please :)
AURAcatalyst
2007-01-12, 05:21
Well, here's the HijackThis log...
Logfile of HijackThis v1.99.1
Scan saved at 11:18:33 PM, on 1/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HJT.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27B4831E-FA7A-4037-ACD6-8360B135B946} - C:\WINDOWS\system32\vtuvstt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\kywuprgi.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D3425328-ED90-4CF3-B33D-FD23AA637227} - C:\WINDOWS\system32\sstqq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\drjquxnn.dll",setvm
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: vtuvstt - C:\WINDOWS\SYSTEM32\vtuvstt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
And here's the VundoFix log...
VundoFix V6.2.13
Checking Java version...
Java version is 1.5.0.6
Scan started at 10:45:07 PM 1/11/2007
Listing files found while scanning....
C:\WINDOWS\system32\winmmt32.dll
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\qqtss.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\winmmt32.dll
C:\WINDOWS\system32\winmmt32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\sstqq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\qqtss.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\qqtss.tmp
C:\WINDOWS\system32\qqtss.tmp Has been deleted!
Performing Repairs to the registry.
Done!
Hi
Is Norton up-to-date? If so, you should uninstall avast! Only one antivirus active/computer.
Open HijackThis, click do a system scan only and checkmark these:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\kywuprgi.dll
O2 - BHO: (no name) - {D3425328-ED90-4CF3-B33D-FD23AA637227} - C:\WINDOWS\system32\sstqq.dll (file missing)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\drjquxnn.dll",setvm
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Go to start -> run
Type following text and press ok:
"%userprofile%\desktop\combofix.exe" /v vtuvstt
3. Reboot
4. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Delete if present:
C:\WINDOWS\system32\kywuprgi.dll
C:\WINDOWS\system32\drjquxnn.dll
Empty Recycle Bin
Send:
- a fresh HijackThis log
- combofix report
AURAcatalyst
2007-01-15, 03:59
Sorry I haven't posted. Been a little busy.. But here's the two logs.
First, HijackThis..
Logfile of HijackThis v1.99.1
Scan saved at 9:41:18 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\HijackThis\HJT.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EFD2035-20A2-4FF9-9A5B-F0BCF77DFFE2} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
And now the ComboFix log...
"HP_Owner" - 07-01-14 21:32:05 Service Pack 2
ComboFix 07-01-15 - Running from: "C:\Documents and Settings\HP_Owner\desktop"
Command switches used :: /v vtuvstt
((((((((((((((((((((((((((((((( Files Created from 2006-12-14 to 2007-01-14 ))))))))))))))))))))))))))))))))))
2007-01-14 12:21 <DIR> d-------- C:\Program Files\NeverwinterNights
2007-01-11 22:45 <DIR> d-------- C:\VundoFix Backups
2007-01-10 22:58 81,684 --a------ C:\WINDOWS\system32\cmnxdvey.dll
2007-01-10 14:50 <DIR> d-------- C:\UT2004
2007-01-09 23:34 <DIR> d-------- C:\Program Files\Emulators
2007-01-09 21:34 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Ahead
2007-01-09 21:20 22,541 ---hs---- C:\WINDOWS\system32\efcyyww.dll
2007-01-07 23:05 <DIR> d---s---- C:\DOCUME~1\HP_Owner\UserData
2007-01-07 16:31 967 --a------ C:\WINDOWS\ScUnin.pif
2007-01-07 16:31 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-01-07 16:24 <DIR> d-------- C:\Program Files\Starcraft
2007-01-07 15:34 <DIR> d-------- C:\Program Files\CyberFront
2007-01-06 03:06 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-06 00:56 <DIR> d-------- C:\HijackThis
2007-01-05 22:38 22,541 ---hs---- C:\WINDOWS\system32\ljjjkji.dll
2007-01-05 22:32 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-05 20:55 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Help
2007-01-05 17:49 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-01-05 17:49 126,976 --a------ C:\WINDOWS\War3Unin.exe
2007-01-05 17:46 <DIR> d-------- C:\Program Files\Warcraft III
2007-01-05 01:48 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-04 19:54 <DIR> d-------- C:\Program Files\Alwil Software
2007-01-04 17:08 <DIR> d-------- C:\WINDOWS\pss
2007-01-04 16:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-03 22:23 81,684 --a------ C:\WINDOWS\system32\vrwugsrv.dll
2007-01-03 22:23 44,060 --a------ C:\WINDOWS\system32\kywuprgi.dll
2007-01-03 22:23 118,804 --a------ C:\WINDOWS\system32\drjquxnn.dll
2007-01-03 22:16 27,648 --a------ C:\nawueg.exe
2007-01-03 22:15 22,541 ---hs---- C:\WINDOWS\system32\ddcyyxw.dll
2007-01-03 21:13 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-01-03 21:12 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-03 21:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-01-03 21:11 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-03 20:42 <DIR> dr-h----- C:\MSOCache
2007-01-03 16:22 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-01-03 16:22 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-01-03 16:22 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-01-03 16:22 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-01-03 16:22 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-01-03 16:22 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-01-03 16:22 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-01-03 16:22 <DIR> d-------- C:\Program Files\Ahead
2007-01-03 00:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-03 00:09 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-03 00:07 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Adobe
2007-01-03 00:03 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-01-02 23:09 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Sonic
2007-01-02 23:09 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Leadertech
2007-01-02 19:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-01-02 19:13 <DIR> d-------- C:\Program Files\QuickTime
2007-01-02 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\QuickTime
2007-01-02 19:12 <DIR> d-------- C:\Program Files\Trillian
2007-01-02 18:47 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\My Battle for Middle-earth Files
2007-01-02 18:46 <DIR> dr-hs---- C:\cmdcons
2007-01-02 18:46 <DIR> d-------- C:\WINDOWS\setup.pss
2007-01-02 18:29 <DIR> d-------- C:\Program Files\Opera
2007-01-02 18:29 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Opera
2007-01-02 17:46 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-01-02 17:26 <DIR> d-------- C:\Program Files\EA GAMES
2007-01-02 17:23 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\HPQ
2007-01-02 17:18 <DIR> d-------- C:\Program Files\Lavalys
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\WINDOWS
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Symantec
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Real
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Intuit
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Symantec
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Real
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Intuit
2007-01-02 16:42 <DIR> d-------- C:\WINDOWS\Prefetch
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-14 15:47 -------- d--h----- C:\Program Files\installshield installation information
2007-01-12 17:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-10 15:32 -------- d---s---- C:\DOCUME~1\HP_Owner\Application Data\microsoft
2007-01-09 21:47 -------- d-------- C:\Program Files\online services
2007-01-09 21:25 -------- d-------- C:\Program Files\norton internet security
2007-01-05 14:05 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-05 14:05 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-05 14:05 -------- d-------- C:\Program Files\symantec
2007-01-03 00:13 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-03 00:05 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\macromedia
2007-01-02 18:07 -------- d-------- C:\Program Files\quicken
2007-01-02 17:06 -------- d-------- C:\Program Files\Common Files\real
2007-01-02 17:04 -------- d-------- C:\Program Files\Common Files\hp
2007-01-02 17:03 -------- d-------- C:\Program Files\Common Files\sonic shared
2007-01-02 16:59 -------- d-------- C:\Program Files\yahoo!
2007-01-02 16:59 -------- d-------- C:\Program Files\wildtangent
2006-11-28 10:16 -------- d-------- C:\Program Files\hewlett-packard
2006-11-28 10:06 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-11-28 09:56 -------- d-------- C:\Program Files\Common Files\installshield
2006-11-28 09:54 -------- d-------- C:\Program Files\pc-doctor for dos
2006-11-28 09:54 -------- d-------- C:\Program Files\pc-doctor 5 for windows
2006-11-28 09:49 118842 -ra------ C:\WINDOWS\hpcpcuninstaller-6.3.2.116-9972322.exe
2006-11-28 09:48 13570 --a------ C:\WINDOWS\system32\choddi.sys
2006-11-28 09:43 -------- d-------- C:\Program Files\microsoft works
2006-11-28 09:41 -------- d-------- C:\Program Files\msn encarta standard
2006-11-28 09:41 -------- d-------- C:\Program Files\microsoft money 2006
2006-11-28 09:40 -------- d-------- C:\Program Files\hp
2006-11-28 09:33 -------- d-------- C:\Program Files\sonic
2006-11-28 09:33 -------- d-------- C:\Program Files\Common Files\surething shared
2006-11-28 09:31 -------- d-------- C:\Program Files\netscape
2006-11-28 09:31 -------- d-------- C:\Program Files\music_now
2006-11-28 09:22 -------- d-------- C:\Program Files\conexant
2006-11-28 09:21 -------- d-------- C:\Program Files\ati technologies
2006-11-28 09:12 -------- d-------- C:\Program Files\messenger
2006-11-28 09:08 -------- d-------- C:\Program Files\java
2006-11-28 09:08 -------- d-------- C:\Program Files\Common Files\java
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"="RTHDCPL.EXE"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"IS CfgWiz"="c:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE \"REBOOT\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPwuSchd2.exe"
"PCDrProfiler"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=dword:00000002
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job
C:\WINDOWS\tasks\Warranty Reminder 11 month.job
C:\WINDOWS\tasks\Warranty Reminder 15 day.job
Completion time: 07-01-14 21:33:57
C:\ComboFix2.txt ... 07-01-14 21:19
AURAcatalyst
2007-01-15, 06:27
Sorry, noticed that I generated a second ComboFix log.. Here it is...
"HP_Owner" - 07-01-14 21:13:09 Service Pack 2
ComboFix 07-01-15 - Running from: "C:\Documents and Settings\HP_Owner\desktop"
Command switches used :: /v vtuvstt
(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\vtuvstt.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Ipwindows\ipwins.dll
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{39415~1
C:\Program Files\VSAdd-in
C:\Program Files\Ipwindows
((((((((((((((((((((((((((((((( Files Created from 2006-12-14 to 2007-01-14 ))))))))))))))))))))))))))))))))))
2007-01-14 12:21 <DIR> d-------- C:\Program Files\NeverwinterNights
2007-01-11 22:45 <DIR> d-------- C:\VundoFix Backups
2007-01-10 22:58 81,684 --a------ C:\WINDOWS\system32\cmnxdvey.dll
2007-01-10 14:50 <DIR> d-------- C:\UT2004
2007-01-09 23:34 <DIR> d-------- C:\Program Files\Emulators
2007-01-09 21:34 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Ahead
2007-01-09 21:20 22,541 ---hs---- C:\WINDOWS\system32\efcyyww.dll
2007-01-07 23:05 <DIR> d---s---- C:\DOCUME~1\HP_Owner\UserData
2007-01-07 16:31 967 --a------ C:\WINDOWS\ScUnin.pif
2007-01-07 16:31 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-01-07 16:24 <DIR> d-------- C:\Program Files\Starcraft
2007-01-07 15:34 <DIR> d-------- C:\Program Files\CyberFront
2007-01-06 03:06 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-06 00:56 <DIR> d-------- C:\HijackThis
2007-01-05 22:38 22,541 ---hs---- C:\WINDOWS\system32\ljjjkji.dll
2007-01-05 22:32 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-05 20:55 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Help
2007-01-05 17:49 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-01-05 17:49 126,976 --a------ C:\WINDOWS\War3Unin.exe
2007-01-05 17:46 <DIR> d-------- C:\Program Files\Warcraft III
2007-01-05 01:48 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-04 19:55 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-04 19:55 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-01-04 19:55 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-04 19:54 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-01-04 19:54 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-01-04 19:54 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-01-04 19:54 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-04 19:54 <DIR> d-------- C:\Program Files\Alwil Software
2007-01-04 17:08 <DIR> d-------- C:\WINDOWS\pss
2007-01-04 16:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-03 22:23 81,684 --a------ C:\WINDOWS\system32\vrwugsrv.dll
2007-01-03 22:23 44,060 --a------ C:\WINDOWS\system32\kywuprgi.dll
2007-01-03 22:23 118,804 --a------ C:\WINDOWS\system32\drjquxnn.dll
2007-01-03 22:16 27,648 --a------ C:\nawueg.exe
2007-01-03 22:15 22,541 ---hs---- C:\WINDOWS\system32\ddcyyxw.dll
2007-01-03 21:13 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-01-03 21:12 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-03 21:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-01-03 21:11 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-03 20:42 <DIR> dr-h----- C:\MSOCache
2007-01-03 16:22 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-01-03 16:22 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-01-03 16:22 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-01-03 16:22 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-01-03 16:22 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-01-03 16:22 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-01-03 16:22 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-01-03 16:22 <DIR> d-------- C:\Program Files\Ahead
2007-01-03 00:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-03 00:09 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-03 00:07 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Adobe
2007-01-03 00:03 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-01-02 23:09 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Sonic
2007-01-02 23:09 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Leadertech
2007-01-02 19:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-01-02 19:13 <DIR> d-------- C:\Program Files\QuickTime
2007-01-02 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\QuickTime
2007-01-02 19:12 <DIR> d-------- C:\Program Files\Trillian
2007-01-02 18:47 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\My Battle for Middle-earth Files
2007-01-02 18:46 <DIR> dr-hs---- C:\cmdcons
2007-01-02 18:46 <DIR> d-------- C:\WINDOWS\setup.pss
2007-01-02 18:29 <DIR> d-------- C:\Program Files\Opera
2007-01-02 18:29 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Opera
2007-01-02 17:46 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-01-02 17:26 <DIR> d-------- C:\Program Files\EA GAMES
2007-01-02 17:23 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\HPQ
2007-01-02 17:18 <DIR> d-------- C:\Program Files\Lavalys
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\WINDOWS
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Symantec
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Real
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Intuit
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Symantec
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Real
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Intuit
2007-01-02 16:42 <DIR> d-------- C:\WINDOWS\Prefetch
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-14 15:47 -------- d--h----- C:\Program Files\installshield installation information
2007-01-12 17:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-10 15:32 -------- d---s---- C:\Documents and Settings\HP_Owner\Application Data\microsoft
2007-01-09 21:47 -------- d-------- C:\Program Files\online services
2007-01-09 21:34 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\ahead
2007-01-09 21:25 -------- d-------- C:\Program Files\norton internet security
2007-01-05 22:42 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\adobe
2007-01-05 20:55 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\help
2007-01-05 14:05 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-05 14:05 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-05 14:05 -------- d-------- C:\Program Files\symantec
2007-01-03 00:13 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-03 00:05 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\macromedia
2007-01-02 23:09 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\sonic
2007-01-02 23:09 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\leadertech
2007-01-02 18:52 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\my battle for middle-earth files
2007-01-02 18:29 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\opera
2007-01-02 18:07 -------- d-------- C:\Program Files\quicken
2007-01-02 17:23 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\hpq
2007-01-02 17:06 -------- d-------- C:\Program Files\Common Files\real
2007-01-02 17:06 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\real
2007-01-02 17:04 -------- d-------- C:\Program Files\Common Files\hp
2007-01-02 17:03 -------- d-------- C:\Program Files\Common Files\sonic shared
2007-01-02 16:59 -------- d-------- C:\Program Files\yahoo!
2007-01-02 16:59 -------- d-------- C:\Program Files\wildtangent
2006-11-28 10:16 -------- d-------- C:\Program Files\hewlett-packard
2006-11-28 10:14 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\symantec
2006-11-28 10:06 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-11-28 09:56 -------- d-------- C:\Program Files\Common Files\installshield
2006-11-28 09:54 -------- d-------- C:\Program Files\pc-doctor for dos
2006-11-28 09:54 -------- d-------- C:\Program Files\pc-doctor 5 for windows
2006-11-28 09:49 118842 -ra------ C:\WINDOWS\hpcpcuninstaller-6.3.2.116-9972322.exe
2006-11-28 09:48 13570 --a------ C:\WINDOWS\system32\choddi.sys
2006-11-28 09:45 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\intuit
2006-11-28 09:43 -------- d-------- C:\Program Files\microsoft works
2006-11-28 09:41 -------- d-------- C:\Program Files\msn encarta standard
2006-11-28 09:41 -------- d-------- C:\Program Files\microsoft money 2006
2006-11-28 09:40 -------- d-------- C:\Program Files\hp
2006-11-28 09:33 -------- d-------- C:\Program Files\sonic
2006-11-28 09:33 -------- d-------- C:\Program Files\Common Files\surething shared
2006-11-28 09:31 -------- d-------- C:\Program Files\netscape
2006-11-28 09:31 -------- d-------- C:\Program Files\music_now
2006-11-28 09:22 -------- d-------- C:\Program Files\conexant
2006-11-28 09:21 -------- d-------- C:\Program Files\ati technologies
2006-11-28 09:12 -------- d-------- C:\Program Files\messenger
2006-11-28 09:08 -------- d-------- C:\Program Files\java
2006-11-28 09:08 -------- d-------- C:\Program Files\Common Files\java
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"="RTHDCPL.EXE"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"IS CfgWiz"="c:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE \"REBOOT\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPwuSchd2.exe"
"PCDrProfiler"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=dword:00000002
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070114-210947-111
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\drjquxnn.dll",setvm
backup-20070114-210947-716
O2 - BHO: (no name) - {D3425328-ED90-4CF3-B33D-FD23AA637227} - C:\WINDOWS\system32\sstqq.dll (file missing)
backup-20070114-210946-928
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\kywuprgi.dll
backup-20070114-210946-417
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job
C:\WINDOWS\tasks\Warranty Reminder 11 month.job
C:\WINDOWS\tasks\Warranty Reminder 15 day.job
Completion time: 07-01-14 21:19:52
Hi
Open HijackThis, click do a system scan only and checkmark this:
O2 - BHO: (no name) - {6EFD2035-20A2-4FF9-9A5B-F0BCF77DFFE2} - C:\WINDOWS\system32\mllmj.dll (file missing)
Close all windows including browser and press fix checked.
Make your hidden&system files visible, info (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Delete if present:
C:\WINDOWS\system32\vrwugsrv.dll
C:\WINDOWS\system32\kywuprgi.dll
C:\WINDOWS\system32\drjquxnn.dll
C:\nawueg.exe
C:\WINDOWS\system32\ddcyyxw.dll
C:\WINDOWS\system32\cmnxdvey.dll
C:\WINDOWS\system32\efcyyww.dll
C:\WINDOWS\system32\ljjjkji.dll
Empty Recycle Bin
Reboot
Re-run combofix
Send:
- a fresh HijackThis log
- kaspersky report
AURAcatalyst
2007-01-15, 16:18
Alright, here's the two logs again, as per usual...
HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 10:12:09 AM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HJT.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
And now the ComboFix:
"HP_Owner" - 07-01-15 10:12:26 Service Pack 2
ComboFix 07-01-15 - Running from: "C:\Documents and Settings\HP_Owner\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-12-15 to 2007-01-15 ))))))))))))))))))))))))))))))))))
2007-01-14 12:21 <DIR> d-------- C:\Program Files\NeverwinterNights
2007-01-11 22:45 <DIR> d-------- C:\VundoFix Backups
2007-01-10 14:50 <DIR> d-------- C:\UT2004
2007-01-09 23:34 <DIR> d-------- C:\Program Files\Emulators
2007-01-09 21:34 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Ahead
2007-01-09 21:20 22,541 ---hs---- C:\WINDOWS\system32\efcyyww.dll
2007-01-07 23:05 <DIR> d---s---- C:\DOCUME~1\HP_Owner\UserData
2007-01-07 16:31 967 --a------ C:\WINDOWS\ScUnin.pif
2007-01-07 16:31 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-01-07 16:24 <DIR> d-------- C:\Program Files\Starcraft
2007-01-07 15:34 <DIR> d-------- C:\Program Files\CyberFront
2007-01-06 03:06 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-06 00:56 <DIR> d-------- C:\HijackThis
2007-01-05 22:38 22,541 ---hs---- C:\WINDOWS\system32\ljjjkji.dll
2007-01-05 22:32 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-05 20:55 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Help
2007-01-05 17:49 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-01-05 17:49 126,976 --a------ C:\WINDOWS\War3Unin.exe
2007-01-05 17:46 <DIR> d-------- C:\Program Files\Warcraft III
2007-01-05 01:48 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-04 19:54 <DIR> d-------- C:\Program Files\Alwil Software
2007-01-04 17:08 <DIR> d-------- C:\WINDOWS\pss
2007-01-04 16:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-03 22:15 22,541 ---hs---- C:\WINDOWS\system32\ddcyyxw.dll
2007-01-03 21:13 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-01-03 21:12 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-03 21:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-01-03 21:11 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-03 20:42 <DIR> dr-h----- C:\MSOCache
2007-01-03 16:22 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-01-03 16:22 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-01-03 16:22 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-01-03 16:22 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-01-03 16:22 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-01-03 16:22 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-01-03 16:22 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-01-03 16:22 <DIR> d-------- C:\Program Files\Ahead
2007-01-03 00:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-03 00:09 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-03 00:07 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Adobe
2007-01-03 00:03 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-01-02 23:09 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Sonic
2007-01-02 23:09 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Leadertech
2007-01-02 19:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-01-02 19:13 <DIR> d-------- C:\Program Files\QuickTime
2007-01-02 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\QuickTime
2007-01-02 19:12 <DIR> d-------- C:\Program Files\Trillian
2007-01-02 18:47 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\My Battle for Middle-earth Files
2007-01-02 18:46 <DIR> dr-hs---- C:\cmdcons
2007-01-02 18:46 <DIR> d-------- C:\WINDOWS\setup.pss
2007-01-02 18:29 <DIR> d-------- C:\Program Files\Opera
2007-01-02 18:29 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Opera
2007-01-02 17:46 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-01-02 17:26 <DIR> d-------- C:\Program Files\EA GAMES
2007-01-02 17:23 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\HPQ
2007-01-02 17:18 <DIR> d-------- C:\Program Files\Lavalys
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\WINDOWS
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Symantec
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Real
2007-01-02 16:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\Application Data\Intuit
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Symantec
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Real
2007-01-02 16:43 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Intuit
2007-01-02 16:42 <DIR> d-------- C:\WINDOWS\Prefetch
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-14 21:55 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-14 15:47 -------- d--h----- C:\Program Files\installshield installation information
2007-01-10 15:32 -------- d---s---- C:\DOCUME~1\HP_Owner\Application Data\microsoft
2007-01-09 21:47 -------- d-------- C:\Program Files\online services
2007-01-09 21:25 -------- d-------- C:\Program Files\norton internet security
2007-01-05 14:05 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-05 14:05 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-05 14:05 -------- d-------- C:\Program Files\symantec
2007-01-03 00:13 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-03 00:05 -------- d-------- C:\DOCUME~1\HP_Owner\Application Data\macromedia
2007-01-02 18:07 -------- d-------- C:\Program Files\quicken
2007-01-02 17:06 -------- d-------- C:\Program Files\Common Files\real
2007-01-02 17:04 -------- d-------- C:\Program Files\Common Files\hp
2007-01-02 17:03 -------- d-------- C:\Program Files\Common Files\sonic shared
2007-01-02 16:59 -------- d-------- C:\Program Files\yahoo!
2007-01-02 16:59 -------- d-------- C:\Program Files\wildtangent
2006-11-28 10:16 -------- d-------- C:\Program Files\hewlett-packard
2006-11-28 10:06 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-11-28 09:56 -------- d-------- C:\Program Files\Common Files\installshield
2006-11-28 09:54 -------- d-------- C:\Program Files\pc-doctor for dos
2006-11-28 09:54 -------- d-------- C:\Program Files\pc-doctor 5 for windows
2006-11-28 09:49 118842 -ra------ C:\WINDOWS\hpcpcuninstaller-6.3.2.116-9972322.exe
2006-11-28 09:48 13570 --a------ C:\WINDOWS\system32\choddi.sys
2006-11-28 09:43 -------- d-------- C:\Program Files\microsoft works
2006-11-28 09:41 -------- d-------- C:\Program Files\msn encarta standard
2006-11-28 09:41 -------- d-------- C:\Program Files\microsoft money 2006
2006-11-28 09:40 -------- d-------- C:\Program Files\hp
2006-11-28 09:33 -------- d-------- C:\Program Files\sonic
2006-11-28 09:33 -------- d-------- C:\Program Files\Common Files\surething shared
2006-11-28 09:31 -------- d-------- C:\Program Files\netscape
2006-11-28 09:31 -------- d-------- C:\Program Files\music_now
2006-11-28 09:22 -------- d-------- C:\Program Files\conexant
2006-11-28 09:21 -------- d-------- C:\Program Files\ati technologies
2006-11-28 09:12 -------- d-------- C:\Program Files\messenger
2006-11-28 09:08 -------- d-------- C:\Program Files\java
2006-11-28 09:08 -------- d-------- C:\Program Files\Common Files\java
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"="RTHDCPL.EXE"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"IS CfgWiz"="c:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE \"REBOOT\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPwuSchd2.exe"
"PCDrProfiler"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=dword:00000002
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{98a3f3d7-9aa9-11db-941e-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job
C:\WINDOWS\tasks\Warranty Reminder 11 month.job
C:\WINDOWS\tasks\Warranty Reminder 15 day.job
Completion time: 07-01-15 10:14:40
C:\ComboFix2.txt ... 07-01-14 21:33
C:\ComboFix3.txt ... 07-01-14 21:19
Hi
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\efcyyww.dll
C:\WINDOWS\system32\ljjjkji.dll
C:\WINDOWS\system32\ddcyyxw.dll
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder -> C:\KillBox
Empty Recycle Bin
Re-run combofix
Send:
- a fresh HijackThis log
- kaspersky report
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.