View Full Version : Virtumonde Help
Hello. I've been trying to get this Virtumonde virus off of my girlfriend's laptop for a week now with no success. I've tried Ad-Aware 2007, Spybot S&D, and even VundoFix, and it just keeps on coming back, so I thought I'd post for help here.
The requisite logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:16 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kqkmtkcp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mefeseku] C:\Program Files\Outlook Express\mefeseku22011.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cbygnotw.dll",forkonce
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\kqdsrngn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\kqkmtkcp.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10475 bytes
the other log to follow...
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 14, 2007 3:36:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 14/09/2007
Kaspersky Anti-Virus database records: 418617
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 81150
Number of viruses found: 9
Number of infected objects: 46
Number of suspicious objects: 0
Duration of the scan process: 01:19:58
Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Amanda\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Temp\JET643D.tmp Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Temp\~ROMFN_00000E8C Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\T0GA6OK1\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Amanda\ntuser.dat Object is locked skipped
C:\Documents and Settings\Amanda\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\Antispam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\MSN\qujawi.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03E77668.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03E77668.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03E77668.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04226A28.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04226A28.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04226A28.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\047303CE.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\047303CE.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\047303CE.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04BB1F7F.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04BB1F7F.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04BB1F7F.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04D24566.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04D24566.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04D24566.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38F05C7C.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38F05C7C.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38F05C7C.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38FD046E.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38FD046E.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38FD046E.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A1E3BC3.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A1E3BC3.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A1E3BC3.doc CryptFF: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046244.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046275.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046278.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP597\A0046327.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0046936.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049012.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049013.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049015.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049017.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049018.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0049084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\change.log Object is locked skipped
C:\VundoFix Backups\urqnkji.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2020EFD8-D259-41EC-85AD-5216E248FCF1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\bbgrulrp.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\dqdlacis.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\mvrmueho.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\SYSTEM32\vfhxqxcq.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wpbesanc.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Angelfire777
2007-09-15, 15:37
Hi, welcome to Safer Networking!
Download combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
1. Save it to your desktop.
2. Make sure you save and close ALL open windows and programs that you are running in the taskbar as combofix will attempt to end all non-windows processes for a faster and more successful cleaning.
Click start > run > copy and paste:
"%userprofile%\desktop\combofix.exe" /killall
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
_______
HJT Uninstall list
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.
On your next reply, please include a
Fresh HijackThis log.
HJT Uninstall list
Combofix log.
Hello Angelfire, thank you so much for your help. Here are the logs, in the next few posts.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:41 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {8E95F08D-C517-41D8-B8AF-D5A27B834DEF} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A095C399-6D27-4909-B52E-7A2B8F94227F} - (no file)
O2 - BHO: (no name) - {B599CDD1-17E5-4E47-8B0E-F6F64B8283DD} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5322333-9479-4ED2-BD7C-521AAFC5C0C2} - (no file)
O2 - BHO: (no name) - {FD7D33BB-51E3-42A1-925F-2C48552AD8D1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mefeseku] C:\Program Files\Outlook Express\mefeseku22011.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11020 bytes
The uninstall list:
Ad-Aware 2007
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
Apple Software Update
ArcSoft Panorama Maker 3
Banctec Service Agreement
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CC_ccProxyMSI
CC_ccStart
ccCommon
Conexant D480 MDC V.9x Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell ResourceCD
DellSupport
Digital Line Detect
FAWAV
GameSpy Arcade
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Image Resizer Powertoy for Windows XP
Intel(R) Extreme Graphics 2 Driver
Intel(R) PROSet
InterActual Player
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 3
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
Learn to Speak Spanish Deluxe 9.5
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft User-Mode Driver Framework Feature Pack 1.0
MiKTeX
Modem Helper
Move Networks Player for Internet Explorer
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MultiMedia Disk
MUSIC PLAYER
Musicmatch® Jukebox
Netflix Movie Viewer
NetWaiting
Nikon Message Center
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Security Center
Norton WMI Update
OpenMG Limited Patch 3.3-03-09-03-01
OpenMG Secure Module 3.3.01
OpenOffice.org 2.0
PictureProject
PictureProject In Touch Downloader 1.0
PowerDVD 5.1
PuTTY version 0.53b
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Shockwave
SigmaTel AC97 Audio Drivers
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
SSH Secure Shell
Symantec Script Blocking Installer
Synaptics Pointing Device Driver
Texas Instruments PCIxx20 drivers.
TeXnicCenter Version 1 Beta 6.01
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinEdt
WinEdt
WordPerfect Office 12
Yahoo! Music Jukebox
ComboFix 07-09-14.2 - "Amanda" 2007-09-15 13:50:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.57 [GMT -5:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\Amanda\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Amanda\STARTM~1\Programs\Startup\ta_start.lnk
C:\Program Files\MSN\qujawi.dll
C:\Program Files\winpop
C:\Program Files\winpop\winpop.exe.lzma
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\aoaeomnf.ini
C:\WINDOWS\system32\bbgrulrp.exe
C:\WINDOWS\SYSTEM32\bdggh.bak1
C:\WINDOWS\SYSTEM32\bdggh.bak2
C:\WINDOWS\SYSTEM32\bdggh.ini
C:\WINDOWS\SYSTEM32\bdggh.ini2
C:\WINDOWS\SYSTEM32\bdggh.tmp
C:\WINDOWS\system32\dqdlacis.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\fnmoeaoa.dll
C:\WINDOWS\system32\gdcmjnxj.dll
C:\WINDOWS\system32\hbvicvue.dll
C:\WINDOWS\system32\hggdb.dll
C:\WINDOWS\system32\hhesgchj.exe
C:\WINDOWS\system32\ictownry.exe
C:\WINDOWS\system32\jojodnvp.dll
C:\WINDOWS\SYSTEM32\jxnjmcdg.ini
C:\WINDOWS\system32\knsurqqf.exe
C:\WINDOWS\system32\kqkmtkcp.exe
C:\WINDOWS\system32\mvrmueho.exe
C:\WINDOWS\system32\vfhxqxcq.exe
C:\WINDOWS\system32\wpbesanc.exe
C:\WINDOWS\system32\zxdnt3d.cfg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.
2007-09-15 13:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-14 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-14 13:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-14 13:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 20:02 <DIR> d-------- C:\VundoFix Backups
2007-09-13 16:38 <DIR> d--h----- C:\DOCUME~1\ADMINI~1.AMA\WLANProfiles
2007-09-13 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-12 18:45 4,521 --a------ C:\WINDOWS\SYSTEM32\brnahbcp.dll
2007-09-12 00:02 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\UserData
2007-09-12 00:01 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Symantec
2007-09-11 18:52 4,521 --a------ C:\WINDOWS\SYSTEM32\fjrekfcw.dll
2007-09-09 17:23 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-09 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-09 17:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 16:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-09-07 18:31 <DIR> d--hs---- C:\WINDOWS\QW1hbmRh
2007-09-07 18:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\drvr2
2007-09-07 18:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\cfig322
2007-09-07 18:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\capcam
2007-09-07 18:30 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 13:44 --------- d-------- C:\DOCUME~1\Amanda\APPLIC~1\OpenOffice.org2
2007-09-15 13:41 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-13 13:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 13:23 --------- d-------- C:\Program Files\Berlitz
2007-09-12 00:39 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-12 00:07 --------- d-------- C:\Program Files\Symantec
2007-09-11 15:11 --------- d-------- C:\Program Files\Yahoo!
2007-09-11 15:06 --------- d-------- C:\Program Files\Hewlett-Packard
2007-09-11 13:43 --------- d-------- C:\Program Files\HP
2007-09-10 11:21 --------- d-------- C:\Program Files\GameSpy Arcade
2007-09-09 16:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-29 00:33 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-29 00:03 --------- d-------- C:\Program Files\Netflix
2007-07-24 14:04 --------- d-------- C:\DOCUME~1\Amanda\APPLIC~1\Yahoo!
2007-07-24 13:56 --------- d-------- C:\Program Files\Cozi Central
2007-07-24 13:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-07-24 13:48 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\QW1hbmRh\kqY1vAl1.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CF40241-B58F-44E8-679C-8C5FF0BD09F8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E95F08D-C517-41D8-B8AF-D5A27B834DEF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A095C399-6D27-4909-B52E-7A2B8F94227F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B599CDD1-17E5-4E47-8B0E-F6F64B8283DD}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5322333-9479-4ED2-BD7C-521AAFC5C0C2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F674CE99-0883-4B0B-91CE-D92BD33EDCC9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD7D33BB-51E3-42A1-925F-2C48552AD8D1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 19:35]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-29 14:22]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 19:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 09:35]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-06-09 22:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 11:06]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11:06]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-01 12:11]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"mefeseku"="C:\Program Files\Outlook Express\mefeseku22011.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DESKTOP.INI [2004-08-10 13:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-10-07 05:54:15]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-28 17:24:33]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-06-28 09:59:56]
C:\DOCUME~1\Amanda\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 13:04:12]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 18:01:20]
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 13:04:12]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2004-01-12 06:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\hggdb
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver ;C:\WINDOWS\system32\DRIVERS\w70n51.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 19:03:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-08 03:12:26 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-09-15 18:42:25 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 14:10:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-15 14:19:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-15 14:19
.
--- E O F ---
Angelfire777
2007-09-16, 04:17
Hi,
Please follow the instrcutions HERE (http://www.dellcommunity.com/supportforums/board/message?board.id=si_virus&message.id=42328) on how to remove Dell's MyWay.
*Uninstall the items in bold if found:
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
*An optional that I would recommend be uninstalled.
Viewpoint, Viewpoint Manager, Viewpoint Media Player
are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).
*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.
If you decided to remove viewpoint, delete the following folder:
C:\Program Files\Viewpoint
Empty your recycle bin.
_______
Combofix Deletions
Open notepad."
Copy and paste the text inside the code box below to notepad
Killall::
File::
C:\WINDOWS\SYSTEM32\brnahbcp.dll
C:\WINDOWS\SYSTEM32\fjrekfcw.dll
C:\WINDOWS\system32\hggdb.dll
Folder::
C:\VundoFix Backups
C:\WINDOWS\QW1hbmRh
C:\WINDOWS\SYSTEM32\drvr2
C:\WINDOWS\SYSTEM32\cfig322
C:\WINDOWS\SYSTEM32\capcam
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CF40241-B58F-44E8-679C-8C5FF0BD09F8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E95F08D-C517-41D8-B8AF-D5A27B834DEF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A095C399-6D27-4909-B52E-7A2B8F94227F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B599CDD1-17E5-4E47-8B0E-F6F64B8283DD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5322333-9479-4ED2-BD7C-521AAFC5C0C2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F674CE99-0883-4B0B-91CE-D92BD33EDCC9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD7D33BB-51E3-42A1-925F-2C48552AD8D1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mefeseku"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
"ShellNext"="iexplore"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img263.imageshack.us/img263/9894/cfscriptno0.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.
________
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
_______
Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Download Java Runtime Environment 6u2 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
On your next reply, please include a
Fresh HijackThis log.
Combofix log.
Kaspersky log.
Hello. I have more logs for you. I didn't see MyWay or any of its subsidiaries in the add/remove list, so I couldn't do anything about that. If Kaspersky is to be trusted, looks like I'm still not clean...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:03 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9944 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 16, 2007 8:10:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 17/09/2007
Kaspersky Anti-Virus database records: 419450
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 80294
Number of viruses found: 9
Number of infected objects: 59
Number of suspicious objects: 0
Duration of the scan process: 01:19:22
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Amanda\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Amanda\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\History\History.IE5\MSHist012007091620070917\index.dat Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Temp\JET9422.tmp Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Temp\~ROMFN_00000EE8 Object is locked skipped
C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amanda\ntuser.dat Object is locked skipped
C:\Documents and Settings\Amanda\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\Antispam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03E77668.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03E77668.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\03E77668.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04226A28.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04226A28.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04226A28.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\047303CE.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\047303CE.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\047303CE.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04BB1F7F.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04BB1F7F.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04BB1F7F.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04D24566.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04D24566.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04D24566.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38F05C7C.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38F05C7C.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38F05C7C.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38FD046E.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38FD046E.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38FD046E.doc CryptFF: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A1E3BC3.doc/ThisDocument Infected: Virus.MSWord.Thus.aa skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A1E3BC3.doc Embedded: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A1E3BC3.doc CryptFF: infected - 1 skipped
C:\qoobox\Quarantine\C\Program Files\MSN\qujawi.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\VundoFix Backups\urqnkji.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\bbgrulrp.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\dqdlacis.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\hhesgchj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ictownry.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\knsurqqf.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\kqkmtkcp.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\mvrmueho.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\vfhxqxcq.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\wpbesanc.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046244.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046275.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP596\A0046278.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP597\A0046327.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0046936.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049012.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049013.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049015.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049017.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0049018.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0049084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051252.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051253.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051254.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051255.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051256.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051257.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051258.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051259.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051260.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0051267.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP612\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A488FB7B-9E73-450A-9B5B-AEAF279FB87A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
ComboFix 07-09-14.2 - "Amanda" 2007-09-16 18:21:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.80 [GMT -5:00]
* Created a new restore point
FILE::
C:\WINDOWS\SYSTEM32\brnahbcp.dll
C:\WINDOWS\SYSTEM32\fjrekfcw.dll
C:\WINDOWS\system32\hggdb.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\bhhpnfae.dll.bad
C:\VundoFix Backups\bisjdhoj.ini.bad
C:\VundoFix Backups\crtjnyol.dll.bad
C:\VundoFix Backups\difqswgo.dll.bad
C:\VundoFix Backups\eafnphhb.ini.bad
C:\VundoFix Backups\ibsqfqnw.dll.bad
C:\VundoFix Backups\johdjsib.dll.bad
C:\VundoFix Backups\loynjtrc.ini.bad
C:\VundoFix Backups\ogwsqfid.ini.bad
C:\VundoFix Backups\pvaanvuw.ini.bad
C:\VundoFix Backups\skgpevam.dll.bad
C:\VundoFix Backups\sqypompc.dll.bad
C:\VundoFix Backups\umkdguul.dll.bad
C:\VundoFix Backups\urqnkji.dll.bad
C:\VundoFix Backups\wnqfqsbi.ini.bad
C:\VundoFix Backups\wuvnaavp.dll.bad
C:\WINDOWS\QW1hbmRh
C:\WINDOWS\QW1hbmRh\kqY1vAl1.vbs
C:\WINDOWS\SYSTEM32\brnahbcp.dll
C:\WINDOWS\SYSTEM32\capcam
C:\WINDOWS\SYSTEM32\cfig322
C:\WINDOWS\SYSTEM32\drvr2
C:\WINDOWS\SYSTEM32\fjrekfcw.dll
.
((((((((((((((((((((((((( Files Created from 2007-08-16 to 2007-09-16 )))))))))))))))))))))))))))))))
.
2007-09-15 13:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-14 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-14 13:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-14 13:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 16:38 <DIR> d--h----- C:\DOCUME~1\ADMINI~1.AMA\WLANProfiles
2007-09-13 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-12 00:02 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\UserData
2007-09-12 00:01 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Symantec
2007-09-09 17:23 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-09 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-09 17:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 16:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 18:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-15 14:17 --------- d-------- C:\DOCUME~1\Amanda\APPLIC~1\OpenOffice.org2
2007-09-15 14:16 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-13 13:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 13:23 --------- d-------- C:\Program Files\Berlitz
2007-09-12 00:39 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-12 00:07 --------- d-------- C:\Program Files\Symantec
2007-09-11 15:11 --------- d-------- C:\Program Files\Yahoo!
2007-09-11 15:06 --------- d-------- C:\Program Files\Hewlett-Packard
2007-09-11 13:43 --------- d-------- C:\Program Files\HP
2007-09-10 11:21 --------- d-------- C:\Program Files\GameSpy Arcade
2007-09-09 16:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-29 00:33 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-29 00:03 --------- d-------- C:\Program Files\Netflix
2007-07-24 14:04 --------- d-------- C:\DOCUME~1\Amanda\APPLIC~1\Yahoo!
2007-07-24 13:56 --------- d-------- C:\Program Files\Cozi Central
2007-07-24 13:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-07-24 13:48 --------- d-------- C:\Program Files\Common Files\SureThing Shared
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 19:35]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-29 14:22]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 19:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 09:35]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-06-09 22:58]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 11:06]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11:06]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-01 12:11]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DESKTOP.INI [2004-08-10 13:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-10-07 05:54:15]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-28 17:24:33]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-06-28 09:59:56]
C:\DOCUME~1\Amanda\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 13:04:12]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 18:01:20]
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 13:04:12]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2004-01-12 06:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\hggdb
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver ;C:\WINDOWS\system32\DRIVERS\w70n51.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 19:03:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-08 03:12:26 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-09-15 18:42:25 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 18:32:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-16 18:43:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 18:42
C:\ComboFix2.txt ... 2007-09-15 14:19
.
--- E O F ---
Angelfire777
2007-09-18, 12:54
Hi,
If Kaspersky is to be trusted, looks like I'm still not clean...
It's to be trusted. Kaspersky is one of the best.
However, what it found are inactive files as most of them are in the quarantines of different programs.
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine <<Norton's quarantine
C:\System Volume Information <<System restore folder. You will only be infected if you use system restore.
C:\qoobox <<Combofix quarantine.
======
We need to temporarily disable Spybot's TeaTimer, it may stop our fix.
Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
*Open Norton Internet Security window.
- Click on Norton Internet Security tab.
- Click on Settings.
- Click on Internet Security and Firewall Options. (If you are not able to see that option please scroll down the scroll bar)
- Click on General Setting. Uncheck "Turn on protection for my Symantec
Product."
- Click ok.
- Click on General Setting. Check "Turn on protection for my Symantec
Product."
- Click ok.
_____
Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.
@echo off
for %%g in (
"C:\qoobox"
"C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint"
) do (
rd /s/q %%g >nul 2>&1
)
echo.REGEDIT4>>lsa.reg
echo.>>lsa.reg
echo.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]>>lsa.reg
echo."Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00>>lsa.reg
regedit /s lsa.reg
del lsa.reg
nircmd wait 7000
del %0
Locate clean.bat on your Desktop and double-click on it.
Reboot then post a fresh HijackThis log and tell me how's your machine running.
Hello again. The computer does seem to be running much better. I was unable to do the Norton bit, as no such option existed (and there was no scroll bar). I checked through the options menus as well, but nothing. At any rate I did run the batch file. Here's the new HJ log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:19 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9892 bytes
Angelfire777
2007-09-19, 12:03
Hi,
You can just empty the contents of this folder:
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine
Empty your recycle bin.
____
Congratulations your log looks clean!
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
MVPS Hosts File
~You can download it from here (http://www.mvps.org/winhelp2002/hosts.zip)
~I highly recommend this hosts file. You can learn more about this here (http://www.mvps.org/winhelp2002/hosts.htm)
IESpyAds
~Instructions on downloading and using it here (http://www.techsupportforum.com/articles-tutorials-reviews/computer-security-articles/168444-installation-guide-ie-spyad.html#post1068846)
Note: This only works for Internet Explorer.
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
Great!
Thank you so much. I couldn't have done it without you.
Angelfire777
2007-09-21, 16:51
You're welcome!:bigthumb:
Angelfire777
2007-09-22, 09:57
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.