View Full Version : Please Help :(
My Computer keeps poping up with things, and i think people are moving my mouse...not sure..im new at this.
this is my log from HIjackthis i renamed it to Analyse.exe
thank you for your time :)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp7.tmp.dll
O2 - BHO: (no name) - {6564a352-e3e1-4349-82a3-5425ad7bba62} - C:\WINDOWS\system32\iasmem.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\Common Files\A&W\MidRadio.ocx
O20 - AppInit_DLLs:
O20 - Winlogon Notify: iasmem - C:\WINDOWS\SYSTEM32\iasmem.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Hi BiNk69
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Post:
- a fresh HijackThis log
- awf log
- vundofix report
thank you for your help :)
here it is..
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK
10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
02/26/2007 04:55 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\ATIMUL~1\MAIN\BAK
12/01/2004 04:28 PM 69,709 ATIDtct.EXE
12/01/2004 04:32 PM 106,575 launchpd.exe
2 File(s) 176,284 bytes
Directory of C:\PROGRA~1\ATIMUL~1\REMCTRL\BAK
08/27/2004 12:51 AM 200,704 ATIRW.exe
1 File(s) 200,704 bytes
Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK
02/01/2005 11:23 PM 32,768 cli.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK
12/15/2006 04:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 26 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
154198 Feb 26 2007 "C:\Documents and Settings\Jordan Brimley\Local Settings\Temporary Internet Files\Content.IE5\E1D3S0KE\iTunesSetup[1].exe"
282624 Feb 26 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
69709 Dec 1 2004 "C:\Program Files\ATI Multimedia\main\bak\ATIDtct.EXE"
106575 Dec 1 2004 "C:\Program Files\ATI Multimedia\main\bak\launchpd.exe"
200704 Aug 27 2004 "C:\Program Files\ATI Multimedia\RemCtrl\bak\ATIRW.exe"
32768 Feb 1 2005 "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
end of report
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 3:17:51 PM 4/3/2007
Listing files found while scanning....
C:\WINDOWS\system32\tmp7.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 3:37:22 PM 4/3/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Logfile of HijackThis v1.99.1
Scan saved at 3:48:47 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\analyse.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {6564a352-e3e1-4349-82a3-5425ad7bba62} - C:\WINDOWS\system32\iasmem.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\Common Files\A&W\MidRadio.ocx
O20 - AppInit_DLLs:
O20 - Winlogon Notify: iasmem - C:\WINDOWS\SYSTEM32\iasmem.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Hi
* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\iasmem.dll
C:\WINDOWS\system32\memsai.*
* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
ok, well it didnt say anything about running it as a task, so i just started it, added the files and ran it again
this is HIJACK
Logfile of HijackThis v1.99.1
Scan saved at 4:42:55 AM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\Common Files\A&W\MidRadio.ocx
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Now Vundo
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 3:17:51 PM 4/3/2007
Listing files found while scanning....
C:\WINDOWS\system32\tmp7.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 3:37:22 PM 4/3/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 4:20:42 AM 4/4/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Beginning removal...
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 4:34:02 AM 4/4/2007
Listing files found while scanning....
Beginning removal...
Attempting to delete C:\WINDOWS\system32\iasmem.dll
C:\WINDOWS\system32\iasmem.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 4:37:52 AM 4/4/2007
Listing files found while scanning....
No infected files were found.
Hi
Uninstall from add/remove programs (control panel) this java runtime environment:
1.5.0.8
Open HijackThis, click do a system scan only and checkmark this:
O20 - AppInit_DLLs:
Close all windows including browser and press fix checked.
Reboot.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 04, 2007 3:08:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/04/2007
Kaspersky Anti-Virus database records: 291568
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 39600
Number of viruses found 1
Number of infected objects 51
Number of suspicious objects 0
Duration of the scan process 00:24:36
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Jordan Brimley\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\history.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\key3.db Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Messenger\jordanbrimley@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Messenger\jordanbrimley@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Messenger\jordanbrimley@hotmail.com\SharingMetadata\Working\database_1EBC_971_BC09_452D\dfsr.db Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Messenger\jordanbrimley@hotmail.com\SharingMetadata\Working\database_1EBC_971_BC09_452D\fsr.log Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Messenger\jordanbrimley@hotmail.com\SharingMetadata\Working\database_1EBC_971_BC09_452D\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Messenger\jordanbrimley@hotmail.com\SharingMetadata\Working\database_1EBC_971_BC09_452D\tmp.edb Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Windows Live Contacts\Jordanbrimley@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Windows Live Contacts\Jordanbrimley@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Application Data\Mozilla\Firefox\Profiles\6w5nfqau.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\History\History.IE5\MSHist012007040420070405\index.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Temp\~DF7086.tmp Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Temp\~DF70A3.tmp Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Temp\~DF81EA.tmp Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Temp\~DF81FF.tmp Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Temp\~DF8C62.tmp Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Temp\~DF8C77.tmp Object is locked skipped
C:\Documents and Settings\Jordan Brimley\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jordan Brimley\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jordan Brimley\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A684AA7 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A6F1EA0 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A72489C Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A791C95 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A7C4691 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A8C187F Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B1C4FE1 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B8E0D63 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C560E88 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1DCA40EF Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\1EA53DFE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\22063446.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\367B6D89 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\592C2185 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011666.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011667.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011668.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011669.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011670.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011671.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011672.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011673.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011674.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP105\A0011675.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP111\change.log Object is locked skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007940.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007941.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007942.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007943.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007944.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007945.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007946.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP85\A0007947.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008041.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008042.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008043.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008044.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008045.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008046.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008047.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008048.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP94\A0008049.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP95\A0008068.rbf Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011199.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011200.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011201.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011202.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011203.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011204.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011205.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011206.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP98\A0011207.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP111\change.log Object is locked skipped
E:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{72818D44-4A7A-47FE-A975-8E8F101445BC}\RP111\change.log Object is locked skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 3:09:41 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\Common Files\A&W\MidRadio.ocx
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Hi
Empty this folder:
C:\Program Files\Norton AntiVirus\Quarantine\
Empty Recycle Bin
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.