View Full Version : ByteVerify!exploit; Bonjour; spfjs.exe?
About a week ago, my daughter mentioned that something weird was happening on her pc when she was using aim. The pc has become incredibly slow, so I figured it was time to do a little housecleaning.
Been running Norton antivirus, though I also noted it expired end of May. First thing I noticed was Norton firewall asking if spfjs.exe could access the internet. As many times as I said block, it still kept asking. Found it in windows/system32 and renamed it *.bak. Just for fun, sorted on date and found a slew of .exe files, including spfjs, loaded since 6/1. Couldn't find much information on any of them, except maybe o.exe. Started by trying to load Windows Defender then found this site and tried your suggestions.
So, the on-line virus scan found one it couldn't fix:
Scan Results: 129364 files scanned. 1 virus was detected.
File Infection Status Path
arc.zip-38ee7e53-625dc8a5.zip>Gummy.class Java/ByteVerify!exploit cannot cure C:\Documents and Settings\Meghan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
Spybot cleared up quite a few, and hijackthis.log shows:
Logfile of HijackThis v1.99.1
Scan saved at 11:46:29 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AppPatch\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [spfjs] C:\WINDOWS\system32\spfjs.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WINDOWS MSI Installer Application (LD-MSIEXEC_Inst) - Unknown owner - C:\WINDOWS\AppPatch\msiexec.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Any help would be much appreciated! Thanks
Hello DrMom :)
Ok let's do some research first...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix 07-06-13.3 - C:\Download\ComboFix.exe
"Mom" - 2007-06-15 20:42:31 - Service Pack 2 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Mom\Desktop\internet.lnk
C:\WINDOWS\system32\m.exe
C:\WINDOWS\system32\s.exe
C:\WINDOWS\system32\u.exe
C:\WINDOWS\system32\z.exe
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))
2007-06-15 20:41 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 19:29 <DIR> d-------- C:\Program Files\Security Task Manager
2007-06-11 19:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-06-10 20:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-10 19:55 <DIR> d-------- C:\WINDOWS\pss
2007-06-09 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-09 22:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-09 22:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-09 20:55 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-09 01:29 99,328 --a------ C:\WINDOWS\system32\jrvjkexaot.exe
2007-06-08 16:51 99,328 --a------ C:\WINDOWS\system32\rdlltp.exe
2007-06-08 00:10 99,328 --a------ C:\WINDOWS\system32\zmmsetysv.exe
2007-06-07 20:30 99,328 --a------ C:\WINDOWS\system32\avafhfggpd.exe
2007-06-07 20:27 99,328 --a------ C:\WINDOWS\system32\jaclzbcwetmi.exe
2007-06-07 18:19 99,328 --a------ C:\WINDOWS\system32\sgdjvbcu.exe
2007-06-07 17:11 99,328 --a------ C:\WINDOWS\system32\phnyd.exe
2007-06-07 17:05 99,328 --a------ C:\WINDOWS\system32\fvh.exe
2007-06-07 17:04 99,328 --a------ C:\WINDOWS\system32\cmdbkyhrsfxi.exe
2007-06-06 23:29 66,560 --a------ C:\WINDOWS\system32\ikdwm.exe
2007-06-06 23:17 66,560 --a------ C:\WINDOWS\system32\kbznxl.exe
2007-06-06 23:15 66,560 --a------ C:\WINDOWS\system32\jxdka.exe
2007-06-06 22:36 66,560 --a------ C:\WINDOWS\system32\mozardidr.exe
2007-06-06 17:03 66,560 --a------ C:\WINDOWS\system32\grpzlhqwesfw.exe
2007-06-06 16:51 66,560 --a------ C:\WINDOWS\system32\usfgxulwjtlm.exe
2007-06-06 16:34 66,560 --a------ C:\WINDOWS\system32\wuzfdr.exe
2007-06-06 15:34 66,560 --a------ C:\WINDOWS\system32\vhdrkksirotn.exe
2007-06-06 15:34 66,560 --a------ C:\WINDOWS\system32\ppguaiowht.exe
2007-06-06 15:08 66,560 --a------ C:\WINDOWS\system32\rziesahicav.exe
2007-06-06 15:03 66,560 --a------ C:\WINDOWS\system32\oeqtmimemobc.exe
2007-06-06 15:01 66,560 --a------ C:\WINDOWS\system32\arabogo.exe
2007-06-05 18:30 66,560 --a------ C:\WINDOWS\system32\sxzqmbz.exe
2007-06-05 16:56 66,560 --a------ C:\WINDOWS\system32\dodhzshwopr.exe
2007-06-05 16:54 66,560 --a------ C:\WINDOWS\system32\sfebfd.exe
2007-06-05 16:51 66,560 --a------ C:\WINDOWS\system32\fwkiohghdkww.exe
2007-06-05 16:18 66,560 --a------ C:\WINDOWS\system32\ykmpuckyz.exe
2007-06-05 12:07 66,560 --a------ C:\WINDOWS\system32\ysuxlzhpufh.exe
2007-06-05 11:59 66,560 --a------ C:\WINDOWS\system32\jvwwur.exe
2007-06-05 11:58 66,560 --a------ C:\WINDOWS\system32\pdc.exe
2007-06-04 22:32 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-04 17:36 66,560 --a------ C:\WINDOWS\system32\wj.exe
2007-06-04 17:32 66,560 --a------ C:\WINDOWS\system32\nzfze.exe
2007-06-04 17:27 66,560 --a------ C:\WINDOWS\system32\nt.exe
2007-06-04 17:24 66,560 --a------ C:\WINDOWS\system32\mvfkuiifydvu.exe
2007-06-04 17:20 66,560 --a------ C:\WINDOWS\system32\etixkui.exe
2007-06-04 17:17 66,560 --a------ C:\boot0S.exe
2007-06-04 17:03 66,560 --a------ C:\WINDOWS\system32\ecfacppxccqi.exe
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 14:02 70,656 --a------ C:\WINDOWS\system32\uktswhdpdek.exe
2007-06-02 15:33 66,560 --a------ C:\WINDOWS\system32\xonth.exe
2007-06-02 15:27 66,560 --a------ C:\WINDOWS\system32\wjjbywttug.exe
2007-06-02 15:21 66,560 --a------ C:\WINDOWS\system32\on.exe
2007-06-02 09:16 66,560 --a------ C:\WINDOWS\system32\ghqdeflfusrb.exe
2007-05-19 16:08 <DIR> d-------- C:\Program Files\Bonjour
2007-05-19 16:04 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-05-18 17:00 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-05-18 17:00 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-05-18 17:00 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-05-18 17:00 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-05-18 17:00 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-05-18 17:00 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-05-18 17:00 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-15 13:56:57 -------- d-----w C:\Program Files\Plaxo
2007-06-14 13:12:17 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-11 01:28:59 -------- d-----w C:\Program Files\Lx_cats
2007-06-05 02:26:52 -------- d-----w C:\Program Files\AIM
2007-05-27 23:11:07 -------- d-----w C:\Program Files\TaxCut04
2007-05-19 20:08:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-19 20:02:29 -------- d-----w C:\Program Files\Kodak
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 21:52:11 -------- d-----w C:\Program Files\Norton Internet Security
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 00:34:40 584 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2006-02-07 03:35]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2006-02-05 05:03]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-13 20:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-12 11:30]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 17:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 20:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
*Newly Created Service* - COMHOST
Contents of the 'Scheduled Tasks' folder
2007-06-13 02:36:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-02 19:53:00 C:\WINDOWS\tasks\EasyShare Registration Task.job
2007-06-15 13:59:36 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-16 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Mom.job
2007-06-01 01:26:00 C:\WINDOWS\tasks\RoxioUpdator.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 21:17:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-15 21:21:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-15 21:21
--- E O F ---
OK the story continues :)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
:oops: I was sure I posted this yesterday - I guess I missed the part about it being too long. Here's the first part, SDFix report.txt:
SDFix: Version 1.88
Run by Mom on Sun 06/17/2007 at 09:16 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
iueyuuw81
ImagePath:
C:\WINDOWS\system32\ngeoocj.exe /service
iueyuuw81 - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\SYSTEM32\ARABOGO.EXE - Deleted
C:\WINDOWS\SYSTEM32\DODHZS~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ECFACP~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ETIXKUI.EXE - Deleted
C:\WINDOWS\SYSTEM32\FWKIOH~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GHQDEF~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GRPZLH~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\IKDWM.EXE - Deleted
C:\WINDOWS\SYSTEM32\JVWWUR.EXE - Deleted
C:\WINDOWS\SYSTEM32\JXDKA.EXE - Deleted
C:\WINDOWS\SYSTEM32\KBZNXL.EXE - Deleted
C:\WINDOWS\SYSTEM32\MOZARD~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\MVFKUI~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\NT.EXE - Deleted
C:\WINDOWS\SYSTEM32\NZFZE.EXE - Deleted
C:\WINDOWS\SYSTEM32\OEQTMI~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ON.EXE - Deleted
C:\WINDOWS\SYSTEM32\PDC.EXE - Deleted
C:\WINDOWS\SYSTEM32\PPGUAI~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\RZIESA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\SFEBFD.EXE - Deleted
C:\WINDOWS\SYSTEM32\SXZQMBZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\USFGXU~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\VHDRKK~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\WJJBYW~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WUZFDR.EXE - Deleted
C:\WINDOWS\SYSTEM32\XONTH.EXE - Deleted
C:\WINDOWS\SYSTEM32\YKMPUC~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\YSUXLZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\UKTSWH~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\AVAFHF~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\CMDBKY~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\FVH.EXE - Deleted
C:\WINDOWS\SYSTEM32\JACLZB~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\JRVJKE~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PHNYD.EXE - Deleted
C:\WINDOWS\SYSTEM32\RDLLTP.EXE - Deleted
C:\WINDOWS\SYSTEM32\SGDJVBCU.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZMMSET~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\NGEOOCJ.EXE - Deleted
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS\
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\lxcfcoms.exe"="C:\\WINDOWS\\system32\\lxcfcoms.exe:*:Enabled:730 Series"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Listing Files with Hidden Attributes:
C:\Documents and Settings\Katie\Favorites\Channels\Business\The Quicken.com Channel\desktop.ini
C:\Documents and Settings\Meghan\NetHood\wdwinfo on www.wdwinfo.com\Desktop.ini
C:\Documents and Settings\Mom\Favorites\Channels\Business\The Quicken.com Channel\desktop.ini
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\AppPatch\msiexec.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Documents\~WRL0001.tmp
C:\Documents and Settings\All Users\Documents\~WRL0002.tmp
C:\Documents and Settings\All Users\Documents\~WRL0003.tmp
C:\Documents and Settings\All Users\Documents\~WRL0004.tmp
C:\Documents and Settings\All Users\Documents\~WRL0054.tmp
C:\Documents and Settings\All Users\Documents\~WRL0069.tmp
C:\Documents and Settings\All Users\Documents\~WRL0348.tmp
C:\Documents and Settings\All Users\Documents\~WRL0481.tmp
C:\Documents and Settings\All Users\Documents\~WRL0542.tmp
C:\Documents and Settings\All Users\Documents\~WRL0551.tmp
C:\Documents and Settings\All Users\Documents\~WRL0562.tmp
C:\Documents and Settings\All Users\Documents\~WRL0609.tmp
C:\Documents and Settings\All Users\Documents\~WRL0615.tmp
C:\Documents and Settings\All Users\Documents\~WRL0623.tmp
C:\Documents and Settings\All Users\Documents\~WRL0637.tmp
C:\Documents and Settings\All Users\Documents\~WRL0645.tmp
C:\Documents and Settings\All Users\Documents\~WRL0767.tmp
C:\Documents and Settings\All Users\Documents\~WRL0844.tmp
C:\Documents and Settings\All Users\Documents\~WRL1156.tmp
C:\Documents and Settings\All Users\Documents\~WRL1200.tmp
C:\Documents and Settings\All Users\Documents\~WRL1201.tmp
C:\Documents and Settings\All Users\Documents\~WRL1295.tmp
C:\Documents and Settings\All Users\Documents\~WRL1297.tmp
C:\Documents and Settings\All Users\Documents\~WRL1383.tmp
C:\Documents and Settings\All Users\Documents\~WRL1463.tmp
C:\Documents and Settings\All Users\Documents\~WRL1508.tmp
C:\Documents and Settings\All Users\Documents\~WRL1782.tmp
C:\Documents and Settings\All Users\Documents\~WRL1787.tmp
C:\Documents and Settings\All Users\Documents\~WRL1880.tmp
C:\Documents and Settings\All Users\Documents\~WRL1919.tmp
C:\Documents and Settings\All Users\Documents\~WRL1926.tmp
C:\Documents and Settings\All Users\Documents\~WRL1939.tmp
C:\Documents and Settings\All Users\Documents\~WRL2072.tmp
C:\Documents and Settings\All Users\Documents\~WRL2144.tmp
C:\Documents and Settings\All Users\Documents\~WRL2181.tmp
C:\Documents and Settings\All Users\Documents\~WRL2322.tmp
C:\Documents and Settings\All Users\Documents\~WRL2406.tmp
C:\Documents and Settings\All Users\Documents\~WRL2437.tmp
C:\Documents and Settings\All Users\Documents\~WRL2554.tmp
C:\Documents and Settings\All Users\Documents\~WRL2671.tmp
C:\Documents and Settings\All Users\Documents\~WRL2731.tmp
C:\Documents and Settings\All Users\Documents\~WRL2747.tmp
C:\Documents and Settings\All Users\Documents\~WRL2785.tmp
C:\Documents and Settings\All Users\Documents\~WRL2908.tmp
C:\Documents and Settings\All Users\Documents\~WRL2924.tmp
C:\Documents and Settings\All Users\Documents\~WRL2927.tmp
C:\Documents and Settings\All Users\Documents\~WRL3015.tmp
C:\Documents and Settings\All Users\Documents\~WRL3059.tmp
C:\Documents and Settings\All Users\Documents\~WRL3117.tmp
C:\Documents and Settings\All Users\Documents\~WRL3185.tmp
C:\Documents and Settings\All Users\Documents\~WRL3214.tmp
C:\Documents and Settings\All Users\Documents\~WRL3239.tmp
C:\Documents and Settings\All Users\Documents\~WRL3251.tmp
C:\Documents and Settings\All Users\Documents\~WRL3291.tmp
C:\Documents and Settings\All Users\Documents\~WRL3318.tmp
C:\Documents and Settings\All Users\Documents\~WRL3331.tmp
C:\Documents and Settings\All Users\Documents\~WRL3386.tmp
C:\Documents and Settings\All Users\Documents\~WRL3406.tmp
C:\Documents and Settings\All Users\Documents\~WRL3540.tmp
C:\Documents and Settings\All Users\Documents\~WRL3679.tmp
C:\Documents and Settings\All Users\Documents\~WRL3710.tmp
C:\Documents and Settings\All Users\Documents\~WRL3735.tmp
C:\Documents and Settings\All Users\Documents\~WRL3777.tmp
C:\Documents and Settings\All Users\Documents\~WRL3783.tmp
C:\Documents and Settings\All Users\Documents\~WRL3825.tmp
C:\Documents and Settings\All Users\Documents\~WRL3962.tmp
C:\Documents and Settings\All Users\Documents\~WRL4082.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Erin\My Documents\~WRL3009.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0006.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0883.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0997.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL1287.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL2610.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL3396.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL3641.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL3931.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL4100.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0003.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0090.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0210.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0223.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0248.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0549.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0649.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0664.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0697.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0892.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1220.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1342.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1666.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1687.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1750.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1802.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1839.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1900.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1973.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2344.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2435.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2450.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2453.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2492.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2699.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3021.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3128.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3137.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3356.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3431.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3510.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3912.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3998.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL0270.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL0886.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL2243.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL2461.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL3713.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL1382.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL2708.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL3123.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
Listing User Accounts:
User accounts for \\DELL
Administrator ASPNET Colleen
Devon Erin Guest
HelpAssistant Katie Meghan
Mom SUPPORT_388945a0
Finished
Logfile of HijackThis v1.99.1
Scan saved at 9:56:00 PM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AppPatch\msiexec.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WINDOWS MSI Installer Application (LD-MSIEXEC_Inst) - Unknown owner - C:\WINDOWS\AppPatch\msiexec.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
OK good :)
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
What are these different scans doing? just curious. Does this log indicate possible sources of problems? I notice my one daughter has alot of favorites that appeared on this list.
Thanks for your help on this :bigthumb:
**********split into 2 sections*********************************
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-21 21:30:33
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 829200F8 ZwAlertResumeThread
SSDT 82920730 ZwAlertThread
SSDT 8294F4C8 ZwAllocateVirtualMemory
SSDT 82908DD8 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 8291E490 ZwCreateMutant
SSDT 82917E50 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 828E5720 ZwFreeVirtualMemory
SSDT 8291CBF0 ZwImpersonateAnonymousToken
SSDT 8291C008 ZwImpersonateThread
SSDT 82A794C8 ZwMapViewOfSection
SSDT 829B7A18 ZwOpenEvent
SSDT 8291ACE8 ZwOpenProcessToken
SSDT 829560C0 ZwOpenThreadToken
SSDT 8280F290 ZwQueryValueKey
SSDT 82A06660 ZwResumeThread
SSDT 82914160 ZwSetContextThread
SSDT 8291CA58 ZwSetInformationProcess
SSDT 82921B68 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 82913B50 ZwSuspendProcess
SSDT 82921610 ZwSuspendThread
SSDT 829A5370 ZwTerminateProcess
SSDT 829219D0 ZwTerminateThread
SSDT 829D1BC0 ZwUnmapViewOfSection
SSDT 82B00570 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\DRIVERS\update.sys
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified.
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2A1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A0277 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A01F8 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A023C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A0184 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A01BE C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A02B2 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5304] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F3164E C:\WINDOWS\system32\IEFRAME.dll
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\Erin\Favorites\ Naruto Couples.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - (Naruto) If Everyone Cared.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - A Naruto Boys Tribute.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Akatsuki Sailors.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - All the Things She Said- Naruto Girls.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - All the Things She Said.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - AMV - Naruto - I'm just a kid.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - AMV - Naruto - Just the Girl.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - AMV - Naruto - Nickelback - If Everyone Cared.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Avatar intro- Naruto style.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - avatar loves.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Avatar The Last Airbender AMV Linkin Park KRWLNG.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Avril Lavigne - Girlfriend.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Barbie boys [Naruto and Sasuke].url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - boobies my milkshake.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Bowling For Soup - Almost.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Bowling For Soup-Punk Rock 101.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Close My Eyes - A KakaSaku Tribute.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - crawling naruto.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - DDR Speed Over Beethoven (AMV).url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Funny Rock Lee Scenes.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Gaara and Naruto - All The Things She Said.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Gay Naruto Couples.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Hey Sasuke,Sakura hates your girlfriend!.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - hinata 30 seconds to mars.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Hinata-Welcome To My Life.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - How to perform the Chidori hand seals(Kakashi's version).url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - How to perform the Dragon Flame Jutsu Hand Seals.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - How to Perform the Phoenix Fire Jutsu.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - I Hate Everything About You- Neji vs. Hinata.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - I Write Sins Not Tragedies Naruto.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - I Write Sins Not Tragedies [Naruto].url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Itachi and Sakura- Just like you.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Itachi vs Orochimaru.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - KakaSasu- I love you but I HATE you! (Request).url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kakashi x Anko.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kakashi x Sakura {Everything You Want}2.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kakashi x Sasuke - KakaSasu AMV.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kakashi x Sasuke x Sakura x Naruto [Time After Time].url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kiba and Hinata - Avril Lavigne - Girlfriend.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kingdom Hearts 2 - Speed Over Beethoven.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kingdom Hearts 2 Opening (English).url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Kingdom Hearts 2 Opening.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Linkin park - crawling.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Lips of an Angel.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Mr. Wonderful (Naruto).url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto - All The Things She Said.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto - Girlfriend.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto - It's been a while - Staind.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto - Papa Roach (Last Resort).url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto - Zabuzas Death - Until the day i die.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto 1st Movie - Green Day - Boulivard of Broken Dreams.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto American Idol.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto AMV - I Write Sins Not Tragedies.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - naruto amv head strong.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Character Theme Songs crawling.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Couples.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - naruto couples2.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto funny 3.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - naruto girl's milkshake ^^.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Girlfriend-Avril Lavigne.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Idol! The best one there is!.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto is Headstrong.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Last Resort.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto milkshakes.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Party 2.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Party 3(holiday special =3).url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Party 4.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Party 5.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Party 6.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Randomness 2.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Randomness 3.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Randomness 4.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Randomness 5.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto Simple and Clean.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto x Sakura - Keep Holding On.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto X Sasuke X Kakashi [Malchik Gay].url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto!KakasiVsnaruto.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto, Sakura and Sasuke - The Kill.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto, Sasuke, Sakura and Ino are Kids in America.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto- Best Friend.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto- I'm Just A Kid.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - naruto- jutsu hand signs.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto- Linkin Park Crawling.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto- Shoes.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto- The Sailor song.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto-Hinata Tarzan and Jane.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto-If Everyone Cared.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - naruto-pretty fly for a white guy.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Naruto-Speed Over Beethoven.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Ninja of Konoha.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Ninjas in Love.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Obito and Kakashi-Sasuke and Naruto - Like Toy Soldiers.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Panic! Naruto.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Rock Lee is pitiful.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - rock lee you're pitiful.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Sakura and Ino - All The Things She Said.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - sakura and kakashi illegal love.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Sakura and Naruto vs Kakashi.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Sakura is Stuck in 1985.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - sakura, sasuke, naruto and kakashi's lip syncing and AMV.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Sanctuary - Naruto!!.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Sasuke and Sakura Tribute-All The Things She Said.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Shoes the Full Version.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Simple and Clean-Naruto.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Speed Over Beethoven.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Speed Over Beethoven3.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Temari... ~You U.G.L.Y~.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - The Boys of Naruto.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - The Kill-Naruto VS Sasuke.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - The Naruto Filler Rasengan Compilation.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - The Naruto Mix 2.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - This is Your Life - Naruto {Kakashi}.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Toph- Face Down.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Ultimate Naruto Fanflash 62.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Until I Die - A KakaSaku Tribute.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Welcome to my life!.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Welcome to the Black Parade Naruto.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - Which Naruto Character Is Gay.url:favicon
ADS C:\Documents and Settings\Erin\Favorites\YouTube - You U.G.L.Y Sasuke!.url:favicon
ADS C:\RECYCLER\S-1-5-21-57989841-789336058-1060284298-1007\Dc19.url:favicon
ADS C:\RECYCLER\S-1-5-21-57989841-789336058-1060284298-1007\Dc21.url:favicon
ADS C:\RECYCLER\S-1-5-21-57989841-789336058-1060284298-1007\Dc22.url:favicon
---- EOF - GMER 1.0.12 ----
Hi again, we'll continue :)
Those scans were necessary, now I know what we need to remove :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entry if you haven't locked Internet Explorer settings on purpose.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Please run Killbox.
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\jrvjkexaot.exe
C:\WINDOWS\system32\rdlltp.exe
C:\WINDOWS\system32\zmmsetysv.exe
C:\WINDOWS\system32\avafhfggpd.exe
C:\WINDOWS\system32\jaclzbcwetmi.exe
C:\WINDOWS\system32\sgdjvbcu.exe
C:\WINDOWS\system32\phnyd.exe
C:\WINDOWS\system32\fvh.exe
C:\WINDOWS\system32\cmdbkyhrsfxi.exe
C:\WINDOWS\system32\ikdwm.exe
C:\WINDOWS\system32\kbznxl.exe
C:\WINDOWS\system32\jxdka.exe
C:\WINDOWS\system32\mozardidr.exe
C:\WINDOWS\system32\grpzlhqwesfw.exe
C:\WINDOWS\system32\usfgxulwjtlm.exe
C:\WINDOWS\system32\wuzfdr.exe
C:\WINDOWS\system32\vhdrkksirotn.exe
C:\WINDOWS\system32\ppguaiowht.exe
C:\WINDOWS\system32\rziesahicav.exe
C:\WINDOWS\system32\oeqtmimemobc.exe
C:\WINDOWS\system32\arabogo.exe
C:\WINDOWS\system32\sxzqmbz.exe
C:\WINDOWS\system32\dodhzshwopr.exe
C:\WINDOWS\system32\sfebfd.exe
C:\WINDOWS\system32\fwkiohghdkww.exe
C:\WINDOWS\system32\ykmpuckyz.exe
C:\WINDOWS\system32\ysuxlzhpufh.exe
C:\WINDOWS\system32\jvwwur.exe
C:\WINDOWS\system32\pdc.exe
C:\WINDOWS\system32\wj.exe
C:\WINDOWS\system32\nzfze.exe
C:\WINDOWS\system32\nt.exe
C:\WINDOWS\system32\mvfkuiifydvu.exe
C:\WINDOWS\system32\etixkui.exe
C:\boot0S.exe
C:\WINDOWS\system32\ecfacppxccqi.exe
C:\WINDOWS\system32\uktswhdpdek.exe
C:\WINDOWS\system32\xonth.exe
C:\WINDOWS\system32\wjjbywttug.exe
C:\WINDOWS\system32\on.exe
C:\WINDOWS\system32\ghqdeflfusrb.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\AppPatch\msiexec.exe
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- virustotal results
I ran AVG as described but after I selected "Apply all actions", the "Save Report" button was grayed out. I checked the directory where I install AVG and I don't see anything resembling what was found in the scan.
Virustotal report:
Complete scanning result of "msiexec.exe", received in VirusTotal at 06.26.2007, 16:59:22 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.26.2007 no virus found
AntiVir 7.4.0.34 06.26.2007 HEUR/Crypted
Authentium 4.93.8 06.25.2007 no virus found
Avast 4.7.997.0 06.26.2007 no virus found
AVG 7.5.0.476 06.26.2007 no virus found
BitDefender 7.2 06.26.2007 no virus found
CAT-QuickHeal 9.00 06.26.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.26.2007 no virus found
DrWeb 4.33 06.26.2007 no virus found
eSafe 7.0.15.0 06.26.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3743 06.26.2007 no virus found
Ewido 4.0 06.26.2007 no virus found
FileAdvisor 1 06.26.2007 no virus found
Fortinet 2.91.0.0 06.26.2007 no virus found
F-Prot 4.3.2.48 06.25.2007 no virus found
F-Secure 6.70.13030.0 06.26.2007 Backdoor.Win32.SdBot.aad
Ikarus T3.1.1.8 06.26.2007 Backdoor.Win32.Rbot.cgu
Kaspersky 4.0.2.24 06.26.2007 Backdoor.Win32.SdBot.aad
McAfee 5061 06.26.2007 no virus found
Microsoft 1.2701 06.26.2007 no virus found
NOD32v2 2355 06.26.2007 no virus found
Norman 5.80.02 06.26.2007 W32/Hupigon.gen76
Panda 9.0.0.4 06.26.2007 Suspicious file
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 06.26.2007 VIPRE.Suspicious
Symantec 10 06.26.2007 no virus found
TheHacker 6.1.6.137 06.26.2007 no virus found
VBA32 3.12.0.2 06.25.2007 no virus found
VirusBuster 4.3.23:9 06.26.2007 no virus found
Webwasher-Gateway 6.0.1 06.26.2007 Heuristic.Crypted
Aditional Information
File size: 90112 bytes
MD5: 1abf52e47af877d8f4441da3b2cb8b49
SHA1: 8bd03de629d419af260d15c4a008695ae4de3ab5
packers: PELOCK
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
New HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:59:14 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AppPatch\msiexec.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\lxcfcoms.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\sipsmonohyk.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vlpogizdknww] C:\WINDOWS\system32\vlpogizdknww.exe
O4 - HKLM\..\Run: [rqbaghbw] C:\WINDOWS\system32\rqbaghbw.exe
O4 - HKLM\..\Run: [sipsmonohyk] C:\WINDOWS\system32\sipsmonohyk.exe
O4 - HKLM\..\RunServices: [vlpogizdknww] C:\WINDOWS\system32\vlpogizdknww.exe
O4 - HKLM\..\RunServices: [rqbaghbw] C:\WINDOWS\system32\rqbaghbw.exe
O4 - HKLM\..\RunServices: [sipsmonohyk] C:\WINDOWS\system32\sipsmonohyk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Print Spooler Service (iueyuuw81) - Unknown owner - C:\WINDOWS\system32\sipsmonohyk.exe
O23 - Service: WINDOWS MSI Installer Application (LD-MSIEXEC_Inst) - Unknown owner - C:\WINDOWS\AppPatch\msiexec.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hello :)
OK we'll continue...
Please remove SDFix from your computer (we'll use the updated version)
Download the latest version of SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
SDFix report:
SDFix: Version 1.88
Run by Mom on Thu 06/28/2007 at 05:26 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
LD-MSIEXEC_Inst
iueyuuw81
ImagePath:
"C:\WINDOWS\AppPatch\msiexec.exe"
C:\WINDOWS\system32\sipsmonohyk.exe /service
LD-MSIEXEC_Inst - Deleted
iueyuuw81 - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\SYSTEM32\EYRKO.EXE - Deleted
C:\WINDOWS\SYSTEM32\SIPSMO~1.EXE - Deleted
C:\WINDOWS\AppPatch\msiexec.exe - Deleted
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\lxcfcoms.exe"="C:\\WINDOWS\\system32\\lxcfcoms.exe:*:Enabled:730 Series"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Listing Files with Hidden Attributes:
C:\Documents and Settings\Katie\Favorites\Channels\Business\The Quicken.com Channel\desktop.ini
C:\Documents and Settings\Meghan\NetHood\wdwinfo on www.wdwinfo.com\Desktop.ini
C:\Documents and Settings\Mom\Favorites\Channels\Business\The Quicken.com Channel\desktop.ini
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Documents\~WRL0001.tmp
C:\Documents and Settings\All Users\Documents\~WRL0002.tmp
C:\Documents and Settings\All Users\Documents\~WRL0003.tmp
C:\Documents and Settings\All Users\Documents\~WRL0004.tmp
C:\Documents and Settings\All Users\Documents\~WRL0054.tmp
C:\Documents and Settings\All Users\Documents\~WRL0069.tmp
C:\Documents and Settings\All Users\Documents\~WRL0348.tmp
C:\Documents and Settings\All Users\Documents\~WRL0481.tmp
C:\Documents and Settings\All Users\Documents\~WRL0542.tmp
C:\Documents and Settings\All Users\Documents\~WRL0551.tmp
C:\Documents and Settings\All Users\Documents\~WRL0562.tmp
C:\Documents and Settings\All Users\Documents\~WRL0609.tmp
C:\Documents and Settings\All Users\Documents\~WRL0615.tmp
C:\Documents and Settings\All Users\Documents\~WRL0623.tmp
C:\Documents and Settings\All Users\Documents\~WRL0637.tmp
C:\Documents and Settings\All Users\Documents\~WRL0645.tmp
C:\Documents and Settings\All Users\Documents\~WRL0767.tmp
C:\Documents and Settings\All Users\Documents\~WRL0844.tmp
C:\Documents and Settings\All Users\Documents\~WRL1156.tmp
C:\Documents and Settings\All Users\Documents\~WRL1200.tmp
C:\Documents and Settings\All Users\Documents\~WRL1201.tmp
C:\Documents and Settings\All Users\Documents\~WRL1295.tmp
C:\Documents and Settings\All Users\Documents\~WRL1297.tmp
C:\Documents and Settings\All Users\Documents\~WRL1383.tmp
C:\Documents and Settings\All Users\Documents\~WRL1463.tmp
C:\Documents and Settings\All Users\Documents\~WRL1508.tmp
C:\Documents and Settings\All Users\Documents\~WRL1782.tmp
C:\Documents and Settings\All Users\Documents\~WRL1787.tmp
C:\Documents and Settings\All Users\Documents\~WRL1880.tmp
C:\Documents and Settings\All Users\Documents\~WRL1919.tmp
C:\Documents and Settings\All Users\Documents\~WRL1926.tmp
C:\Documents and Settings\All Users\Documents\~WRL1939.tmp
C:\Documents and Settings\All Users\Documents\~WRL2072.tmp
C:\Documents and Settings\All Users\Documents\~WRL2144.tmp
C:\Documents and Settings\All Users\Documents\~WRL2181.tmp
C:\Documents and Settings\All Users\Documents\~WRL2322.tmp
C:\Documents and Settings\All Users\Documents\~WRL2406.tmp
C:\Documents and Settings\All Users\Documents\~WRL2437.tmp
C:\Documents and Settings\All Users\Documents\~WRL2554.tmp
C:\Documents and Settings\All Users\Documents\~WRL2671.tmp
C:\Documents and Settings\All Users\Documents\~WRL2731.tmp
C:\Documents and Settings\All Users\Documents\~WRL2747.tmp
C:\Documents and Settings\All Users\Documents\~WRL2785.tmp
C:\Documents and Settings\All Users\Documents\~WRL2908.tmp
C:\Documents and Settings\All Users\Documents\~WRL2924.tmp
C:\Documents and Settings\All Users\Documents\~WRL2927.tmp
C:\Documents and Settings\All Users\Documents\~WRL3015.tmp
C:\Documents and Settings\All Users\Documents\~WRL3059.tmp
C:\Documents and Settings\All Users\Documents\~WRL3117.tmp
C:\Documents and Settings\All Users\Documents\~WRL3185.tmp
C:\Documents and Settings\All Users\Documents\~WRL3214.tmp
C:\Documents and Settings\All Users\Documents\~WRL3239.tmp
C:\Documents and Settings\All Users\Documents\~WRL3251.tmp
C:\Documents and Settings\All Users\Documents\~WRL3291.tmp
C:\Documents and Settings\All Users\Documents\~WRL3318.tmp
C:\Documents and Settings\All Users\Documents\~WRL3331.tmp
C:\Documents and Settings\All Users\Documents\~WRL3386.tmp
C:\Documents and Settings\All Users\Documents\~WRL3406.tmp
C:\Documents and Settings\All Users\Documents\~WRL3540.tmp
C:\Documents and Settings\All Users\Documents\~WRL3679.tmp
C:\Documents and Settings\All Users\Documents\~WRL3710.tmp
C:\Documents and Settings\All Users\Documents\~WRL3735.tmp
C:\Documents and Settings\All Users\Documents\~WRL3777.tmp
C:\Documents and Settings\All Users\Documents\~WRL3783.tmp
C:\Documents and Settings\All Users\Documents\~WRL3825.tmp
C:\Documents and Settings\All Users\Documents\~WRL3962.tmp
C:\Documents and Settings\All Users\Documents\~WRL4082.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Erin\My Documents\~WRL3009.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0006.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0883.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL0997.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL1287.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL2610.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL3396.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL3641.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL3931.tmp
C:\Documents and Settings\Katie\Application Data\Microsoft\Word\~WRL4100.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0003.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0090.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0210.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0223.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0248.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0549.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0649.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0664.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0697.tmp
C:\Documents and Settings\Katie\My Documents\~WRL0892.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1220.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1342.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1666.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1687.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1750.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1802.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1839.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1900.tmp
C:\Documents and Settings\Katie\My Documents\~WRL1973.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2344.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2435.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2450.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2453.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2492.tmp
C:\Documents and Settings\Katie\My Documents\~WRL2699.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3021.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3128.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3137.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3356.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3431.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3510.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3912.tmp
C:\Documents and Settings\Katie\My Documents\~WRL3998.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL0270.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL0886.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL2243.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL2461.tmp
C:\Documents and Settings\Katie\My Documents\Katie\~WRL3713.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL1382.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL2708.tmp
C:\Documents and Settings\Meghan\Application Data\Microsoft\Word\~WRL3123.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
Listing User Accounts:
Administrator ASPNET Colleen
Devon Erin Guest
HelpAssistant Katie Meghan
Mom SUPPORT_388945a0
Finished
HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:10:08 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vlpogizdknww] C:\WINDOWS\system32\vlpogizdknww.exe
O4 - HKLM\..\Run: [rqbaghbw] C:\WINDOWS\system32\rqbaghbw.exe
O4 - HKLM\..\RunServices: [vlpogizdknww] C:\WINDOWS\system32\vlpogizdknww.exe
O4 - HKLM\..\RunServices: [rqbaghbw] C:\WINDOWS\system32\rqbaghbw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [vlpogizdknww] C:\WINDOWS\system32\vlpogizdknww.exe
O4 - HKLM\..\Run: [rqbaghbw] C:\WINDOWS\system32\rqbaghbw.exe
O4 - HKLM\..\RunServices: [vlpogizdknww] C:\WINDOWS\system32\vlpogizdknww.exe
O4 - HKLM\..\RunServices: [rqbaghbw] C:\WINDOWS\system32\rqbaghbw.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\vlpogizdknww.exe
C:\WINDOWS\system32\rqbaghbw.exe
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart your computer normally.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
That AVG doesn't like me ;) It won't let me Save Report. This time it only found 1; Adware.Aws and it is quarantined.
Have a great day and thanks again!
HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 6:41:34 AM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hello :)
Looks quite good. How is the computer running now? Any issues?
Sorry for the delay, I've been away...
Yes, everything seems to be working fine. Thank you so much for your assistance! :bow:
Hi again, that's great news :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)