View Full Version : Virtumonde Infection - HJT Logfile Post
trhinesley
2007-12-07, 23:13
Have scanned, found and tried to remove with Norton Internet Security 2008 and Spybot 1.5, but.....it just won't go away.....thanks in advance
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:33 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [58a671b4] rundll32.exe "C:\WINDOWS\system32\sfmpwfkv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-57989841-1935655697-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Niki')
O4 - HKUS\S-1-5-21-57989841-1935655697-839522115-1004\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Niki')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171678571875
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.disneyphotopass.com/software/ImageUploader4.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://facorelogic.webex.com/client/T25L/webex/ieatgpc.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 9863 bytes
trhinesley
2007-12-07, 23:55
Per the instructions, I am running the Kapersky scan and will post it when completed.
trhinesley
2007-12-08, 02:58
OK, here is Part 1. Part 2 will follow. Thank you very much in advance for your support. Anything you can do would be greatly appreciated. I will check back soon for your recommended next steps.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 07, 2007 7:48:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/12/2007
Kaspersky Anti-Virus database records: 476761
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 269246
Number of viruses found: 21
Number of infected objects: 53
Number of suspicious objects: 1
Duration of the scan process: 03:09:06
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{1A906A5A-8A5E-4530-99C3-892F9AD18CF6}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{5208DE3A-47F1-4E35-9AC3-D294B82C7411}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{5AD3AAA9-9551-47E4-B1FD-261CF2C5BD71}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{B0895CFE-4700-473E-89CD-72353D713611}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-07_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8A8C1DCD-B2E7-40A2-9B11-A0BBC6C74C62}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8A8C1DCD-B2E7-40A2-9B11-A0BBC6C74C62}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\6EFEB668.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\F4210E12.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Tanagra\Memeo\sourceq.db3 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Niki\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Niki\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Niki\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Niki\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Niki\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Niki\Local Settings\Temp\djntjpwb.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Niki\Local Settings\Temp\mjyulfla.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Niki\Local Settings\Temp\Perflib_Perfdata_a1c.dat Object is locked skipped
C:\Documents and Settings\Niki\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Niki\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Niki\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Application Data\Sun\Java\Deployment\log\plugin142.trace Object is locked skipped
C:\Documents and Settings\Todd\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Todd\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/BL2001/BLSETUP.EXE/WISE0075.BIN Infected: not-a-virus:AdWare.Win32.Background skipped
C:\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/BL2001/BLSETUP.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
C:\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/FL2001/FLSETUP.EXE/WISE0076.BIN Infected: not-a-virus:AdWare.Win32.Background skipped
C:\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/FL2001/FLSETUP.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
C:\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe RAR: infected - 4 skipped
C:\Documents and Settings\Todd\Desktop\Downloads\Windows Stuff\rgl17en.exe/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSinc skipped
C:\Documents and Settings\Todd\Desktop\Downloads\Windows Stuff\rgl17en.exe/TSAdBot.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Documents and Settings\Todd\Desktop\Downloads\Windows Stuff\rgl17en.exe CAB: infected - 2 skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\ApplicationHistory\MemeoBackup.exe.cfb3f2fd.ini.inuse Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/11 Aug 2004 08:00 from U S Bank:URGENT SECURITY NOTIFICATION.rtf Infected: Trojan-Spy.HTML.Usbankfraud.p skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/24 Aug 2001 03:56 to Todd R. Hinesley:FW: This is funny.../Horny1.zl9 Infected: not-virus:BadJoke.Win32.JepRuss skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/21 Sep 2001 22:13 to Paul J. Ott III:RE: Fw: Prayer Wheel/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/21 Sep 2001 22:13 to Richard Taurel:RE: /goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/22 Sep 2001 18:13 to Paul J. Ott III:RE: Fw: Prayer Wheel/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/14 Nov 2001 16:50 to Kevin Kerner:goodform/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/14 Nov 2001 16:51 to KevinKerner@harte-hanks.com:goodform/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/23 Jan 2002 02:08 to Todd Wright:Killer Video/goodform.zip/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/23 Jan 2002 02:08 to Todd Wright:Killer Video/goodform.zip Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/24 Jan 2002 21:56 to Todd Wright:RE: Fantasy Football/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/24 Jan 2002 21:59 to Todd Wright; toddwright@cox-internet.com:go/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/02 Jul 2002 01:16 to derek@hinesley.com:RE: You Suck/small.zl9 Infected: not-virus:BadJoke.Win32.Boredom skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/24 Jul 2002 01:48 to Derek Hinesley:/small.zl9 Infected: not-virus:BadJoke.Win32.Boredom skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/24 Jul 2002 01:48 to Derek Hinesley:good and funny/goodform.zl9 Infected: not-virus:BadJoke.Win32.Stript skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Sent Items/19 Oct 2002 02:07 from Todd R Hinesley:RE: Reference Request - O.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 14, suspicious - 1 skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\TRH.pst/BioLink 12-7-00/John Corral/03 Aug 2000 14:29 from John Corral:FW: Viador/AHIMA show.rtf Infected: Email-Worm.VBS.KakWorm skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\TRH.pst/BioLink 12-7-00/CLR Contacts/14 Jul 2000 14:04 from gary trott:Major Opportunity.rtf Infected: Email-Worm.VBS.KakWorm skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\TRH.pst/BioLink 12-7-00/BioLink Contacts/ME/Africa leads/20 Nov 2000 18:32 from Saurabh:BUSINESS OPPRTUNITY.rtf Infected: Email-Worm.VBS.KakWorm.b skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Outlook\TRH.pst Mail MS Mail: infected - 3 skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Tanagra\Memeo\Tanagra.BMU.Providers.HardDiskBackupProvider2\431DC85C-9CF3-41DA-99F8-C32FC31233BC\manifest.db3 Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\MSHist012007120720071208\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temp\hsperfdata_Todd\4784 Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temp\jar_cache26243.tmp Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temp\Perflib_Perfdata_f90.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temp\xptraqjd.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Todd\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Canon\MultiPASS4\mpdata.dat Object is locked skipped
C:\Program Files\Canon\MultiPASS4\mpdata.idx Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe.log-2007-12-7.log Object is locked skipped
C:\Program Files\Memeo\AutoBackup\MemeoService.exe.log-2007-12-7.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
trhinesley
2007-12-08, 03:00
Here is Part 2:
-------------------------------------------------------------------------------------------
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP320\A0031917.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP321\A0032574.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP321\A0033491.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP321\A0033500.exe Infected: Trojan-Downloader.Win32.VB.bvj skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP321\A0034863.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP321\A0034955.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP324\A0037288.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP324\A0037289.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP324\A0037293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{0F6B645C-0A0B-4A75-89DB-A7874CD40791}\RP325\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F709F9C5-CF99-405D-9986-11E0F1BD6AF9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\exblytsu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\gebxvvw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\WINDOWS\system32\gkcbsgdg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pmnnlig.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\WINDOWS\system32\prwyptvr.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\WINDOWS\system32\rgrdsqcm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET2F87.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
H:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/BL2001/BLSETUP.EXE/WISE0075.BIN Infected: not-a-virus:AdWare.Win32.Background skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/BL2001/BLSETUP.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/FL2001/FLSETUP.EXE/WISE0076.BIN Infected: not-a-virus:AdWare.Win32.Background skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe/Quicken Family Lawyer 2001/FL2001/FLSETUP.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\New Folder\Quicken Family Lawyer 2001.exe RAR: infected - 4 skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\Windows Stuff\rgl17en.exe/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSinc skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\Windows Stuff\rgl17en.exe/TSAdBot.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
H:\Todd\My Docs\Memeo\Todd's Backup - My Docs\C_\Documents and Settings\Todd\Desktop\Downloads\Windows Stuff\rgl17en.exe CAB: infected - 2 skipped
Scan process completed.
trhinesley
2007-12-08, 04:20
My apologies. I posted the previos HJT log file first w/o following the proper procedure. Now I have followed the instructions correctly and done things in the proper order:
Kaspersky scan (log file posted above)
Rebooted in SAFE mode
Ran Spybot 1.5 in SAFE mode until no more red items
Rebotted in Windows and ran HJT (logfile posted below)
Sorry again about going out of order. I hope you didn't spend any time analyzing the first HJT log file that I posted if is no help to you/us.
Thanks again for your support.
-----------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:08 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [58a671b4] rundll32.exe "C:\WINDOWS\system32\sfmpwfkv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171678571875
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.disneyphotopass.com/software/ImageUploader4.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://facorelogic.webex.com/client/T25L/webex/ieatgpc.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 9596 bytes
pskelley
2007-12-12, 22:55
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37
If you still need help, I would appreciate it if you would read the directions again and follow them, including this one:
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.
Do not run and post the Kaspersky scan again until I request it, what I need now is a new HJT log posted according to the directions.
Thanks
pskelley
2007-12-21, 16:24
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.
In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.
Everyone else please begin a New Topic.