View Full Version : Virtumonde.dll
janegard810
2008-02-04, 06:40
Hello, I have run Spybot search and destroy and cant get rid of virtumonde.dll. I am unable to run the online virus scan because I can't seem to modify internet explorer to accept the program. I have run hijack this and my results are below. Thanks so much for your assistance.
Jane
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:15 PM, on 2/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answers.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
F2 - REG:system.ini: Shell=Explorer.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dklur] C:\WINDOWS\System32\hwbcqo.exe reg_run
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.kaspersky.com
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunei.mht!http://adgate.info/zscript/dial.chm::/d2.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8698 bytes
Hi janegard810
Rename HijackThis.edxe to janegard.exe and post back a fresh HijackThis log, please :)
janegard810
2008-02-05, 17:09
Hello Shaba,
Here is a fresh hijack this log. I renamed hijackthis.exe janegard.exe as you requested.
Thanks for your assistance, Jane
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:53 AM, on 2/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\janegard.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answers.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
F2 - REG:system.ini: Shell=Explorer.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6E31A947-3985-3372-A8AE-6243C167F6EA} - (no file)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmakti.dll
O2 - BHO: (no name) - {73D13D24-73B9-4596-BE13-3BB7EFC87308} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {79CEF8A9-C618-472C-B45A-DAB3F90E979C} - C:\WINDOWS\System32\sstqo.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {B45FC20D-6906-4E72-AA59-392CC61FDAA9} - (no file)
O2 - BHO: (no name) - {EFCE351F-AFD9-AF79-A93D-FBEA6BB774B0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dklur] C:\WINDOWS\System32\hwbcqo.exe reg_run
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.kaspersky.com
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunei.mht!http://adgate.info/zscript/dial.chm::/d2.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: rqrpqom - rqrpqom.dll (file missing)
O20 - Winlogon Notify: vtstt - C:\WINDOWS\System32\vtstt.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10090 bytes
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
janegard810
2008-02-05, 18:38
ComboFix 08-02.05.3 - Kevin M. Gardner 2008-02-05 10:53:41.1 - NTFSx86
Running from: C:\Documents and Settings\Kevin M. Gardner\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\System32\sstqo.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Kevin M. Gardner\Application Data\Dxcdmns.dll
C:\Documents and Settings\Kevin M. Gardner\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Kevin M. Gardner\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Kevin M. Gardner\Application Data\macromedia\Flash Player\#SharedObjects\PBFKZDP8\www.broadcaster.com
C:\Documents and Settings\Kevin M. Gardner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Kevin M. Gardner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Kevin M. Gardner\Application Data\SSTEM3~1
C:\Program Files\Common Files\elitemediagroupoinuninstaller.exe
C:\Program Files\Common Files\tsks~1
C:\Program Files\elticons
C:\Program Files\elticons\chadppicon100.exe
C:\Program Files\elticons\ppicon.ico
C:\Program Files\Seekmo Programs
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1193441009.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\temp\tn3
C:\WINDOWS\bi.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\elpp100drop.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\monterreyb_unknown.exe
C:\WINDOWS\monterreyd_unknown.exe
C:\WINDOWS\monterreye_unknown.exe
C:\WINDOWS\monterreyg_unknown.exe
C:\WINDOWS\monterreyh_unknown.exe
C:\WINDOWS\monterreyi_unknown.exe
C:\WINDOWS\monterreyj_unknown.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\opera6.ini
C:\WINDOWS\pbar.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\system32\180ax.exe
C:\WINDOWS\system32\bi.dll
C:\WINDOWS\system32\biprep.exe
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\lclcfg32.ini
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\monterreyb_unknown.exe
C:\WINDOWS\system32\monterreyd_unknown.exe
C:\WINDOWS\system32\monterreye_unknown.exe
C:\WINDOWS\system32\monterreyf_unknown.exe
C:\WINDOWS\system32\monterreyg_unknown.exe
C:\WINDOWS\system32\monterreyh_unknown.exe
C:\WINDOWS\system32\monterreyi_unknown.exe
C:\WINDOWS\system32\monterreyj_unknown.exe
C:\WINDOWS\system32\monterreyn_unknown.exe
C:\WINDOWS\system32\monterreyo_unknown.exe
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\reginia_unknown.exe
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\wnsapicc.exe
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winhp32.exe
C:\WINDOWS\wnsxs~1
----- BITS: Possible infected sites -----
hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-03 22:02 . 2008-02-03 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 18:23 . 2008-02-03 18:23 156 --a------ C:\WINDOWS\wininit.ini
2008-01-08 22:21 . 2008-01-19 16:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 22:21 . 2008-01-08 22:21 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 22:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 20:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-23 22:34 --------- d-----w C:\Documents and Settings\Kevin M. Gardner\Application Data\U3
2008-01-02 18:57 15,360 ----a-w C:\sysrvsw.exe
2008-01-02 18:56 15,360 ----a-w C:\sysesrv.exe
2008-01-01 00:56 --------- d-----w C:\Program Files\OLYMPUS
2007-12-31 21:43 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-27 00:23 --------- d-----w C:\Program Files\iTunes
2007-12-27 00:20 --------- d-----w C:\Program Files\iPod
2007-12-26 23:50 --------- d-----w C:\Program Files\QuickTime
2007-12-26 22:42 --------- d-----w C:\Program Files\Apple Software Update
2007-12-26 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-15 17:45 6,001,197,056 --sha-w C:\gobackio.bin
2006-07-09 14:56 0 ----a-w C:\Documents and Settings\Kevin M. Gardner\Application Data\internaldb41.dat
2007-04-17 21:51 1,393,483 --sha-w C:\WINDOWS\system32\ttstv.bak1
2007-05-01 18:05 1,398,185 --sha-w C:\WINDOWS\system32\ttstv.bak2
2007-05-01 23:38 1,395,731 --sha-w C:\WINDOWS\system32\ttstv.ini2
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70F6A776-579A-4C95-BA88-134253907752}]
2006-07-03 19:05 405504 --a------ C:\WINDOWS\System32\irsmakti.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08 1511453]
"irssyncd"="C:\WINDOWS\System32\irssyncd.exe" [ ]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 00:20:40 233472]
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2004-08-13 11:26:46 803976]
PI Monitor.lnk - C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2007-08-09 20:44:36 86016]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpqom]
rqrpqom.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstt]
C:\WINDOWS\System32\vtstt.dll
R0 GBDevice;GBDevice;C:\WINDOWS\System32\drivers\GBDevice.sys [2004-08-13 11:26]
R0 GoBack2K;GoBack2K;C:\WINDOWS\System32\drivers\GoBack2K.sys [2004-08-13 11:26]
R2 GBFSHook;GBFSHook;C:\WINDOWS\System32\drivers\GBFSHook.sys [2004-08-13 11:26]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [2004-08-30 22:38]
S3 SDdriver;SDdriver;C:\WINDOWS\System32\Drivers\sddriver.sys [2004-08-30 22:23]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 17:08:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 14:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 16:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-02 17:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-02 18:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-02 19:00:01 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-04 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-04 21:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-04 22:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-04 23:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 00:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 01:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 03:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-02-05 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\wx4Ldch5.exe
"2008-01-19 19:08:34 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1129745133.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 1300 series#1129745133
"2008-02-01 22:20:25 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe)/scan-full /scheduleignorenav /scheduled&C:\Program Files\Norton Security Scan
"2008-01-28 21:19:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-05 05:00:11 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 11:15:04
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-05 11:18:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 16:18:02
janegard810
2008-02-05, 18:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:09 AM, on 2/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\janegard.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answers.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmakti.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.kaspersky.com
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunei.mht!http://adgate.info/zscript/dial.chm::/d2.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: rqrpqom - rqrpqom.dll (file missing)
O20 - Winlogon Notify: vtstt - C:\WINDOWS\System32\vtstt.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9395 bytes
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\sysrvsw.exe
C:\sysesrv.exe
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.bak2
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\System32\wx4Ldch5.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70F6A776-579A-4C95-BA88-134253907752}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"irssyncd"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpqom]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstt]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
janegard810
2008-02-05, 20:03
ComboFix 08-02.05.3 - Kevin M. Gardner 2008-02-05 12:57:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.158 [GMT -5:00]
Running from: C:\Documents and Settings\Kevin M. Gardner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin M. Gardner\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\sysesrv.exe
C:\sysrvsw.exe
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.bak2
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\System32\wx4Ldch5.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sysesrv.exe
C:\sysrvsw.exe
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.bak2
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-05 10:43 . 2003-03-31 14:00 375,808 --a------ C:\kmd.exe
2008-02-03 22:02 . 2008-02-03 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 18:23 . 2008-02-03 18:23 156 --a------ C:\WINDOWS\wininit.ini
2008-01-08 22:21 . 2008-01-19 16:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 22:21 . 2008-01-08 22:21 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 22:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 20:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-23 22:34 --------- d-----w C:\Documents and Settings\Kevin M. Gardner\Application Data\U3
2008-01-01 00:56 --------- d-----w C:\Program Files\OLYMPUS
2007-12-31 21:43 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-27 00:23 --------- d-----w C:\Program Files\iTunes
2007-12-27 00:20 --------- d-----w C:\Program Files\iPod
2007-12-26 23:50 --------- d-----w C:\Program Files\QuickTime
2007-12-26 22:42 --------- d-----w C:\Program Files\Apple Software Update
2007-12-26 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-15 17:45 6,001,197,056 --sha-w C:\gobackio.bin
2006-07-09 14:56 0 ----a-w C:\Documents and Settings\Kevin M. Gardner\Application Data\internaldb41.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\bak\Apoint.exe
----a-w 335,872 2003-11-16 01:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 2,321,600 2007-06-25 02:34:01 C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
----a-w 50,792 2006-04-13 20:36:53 C:\Program Files\Common Files\AOL\1129736985\ee\bak\AOLSoftware.exe
----a-w 126,104 2006-03-27 15:57:12 C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe
----a-w 185,784 2006-10-16 00:52:16 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 59,040 2006-04-13 17:20:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 218,240 2004-11-02 20:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 218,240 2004-11-02 23:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
----a-w 156,408 2006-09-02 03:59:38 C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\bak\GoogleToolbarNotifier.exe
----a-w 49,152 2003-06-25 15:24:48 C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe
----a-w 212,992 2003-06-26 22:50:24 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 184,412 2003-07-17 17:50:26 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe
----a-w 241,664 2003-11-18 12:31:52 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe
----a-w 278,528 2005-10-18 16:58:54 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-12-11 17:10:26 C:\Program Files\iTunes\iTunesHelper.exe
----a-w 32,881 2005-10-19 04:54:50 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
----a-w 132,248 2004-09-10 02:12:00 C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe
----a-w 366,400 2007-06-15 23:15:02 C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 99,480 2004-04-05 21:33:54 C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe
----a-w 155,648 2005-11-28 22:35:29 C:\Program Files\QuickTime\bak\bak\qttask.exe
----a-w 286,720 2007-12-11 15:56:54 C:\Program Files\QuickTime\QTTask.exe
----a-w 155,648 2005-11-28 22:35:29 C:\Program Files\QuickTime\bak\bak\qttask.exe
----a-w 26,112 2006-08-25 21:52:41 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
----a-w 214,448 2006-10-16 00:52:19 C:\Program Files\Real\RealPlayer\realplay.exe
----a-w 100,056 2005-10-19 14:15:16 C:\Program Files\SymNetDrv\bak\SNDMon.exe
----a-w 111,816 2004-11-11 04:15:31 C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe
----a-w 140,880 2005-11-21 22:57:49 C:\Program Files\Viewpoint\Viewpoint Toolbar V35\bak\FotomatDeviceConnect.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08 1511453]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 00:20:40 233472]
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2004-08-13 11:26:46 803976]
PI Monitor.lnk - C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2007-08-09 20:44:36 86016]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstt]
C:\WINDOWS\System32\vtstt.dll
R0 GBDevice;GBDevice;C:\WINDOWS\System32\drivers\GBDevice.sys [2004-08-13 11:26]
R0 GoBack2K;GoBack2K;C:\WINDOWS\System32\drivers\GoBack2K.sys [2004-08-13 11:26]
R2 GBFSHook;GBFSHook;C:\WINDOWS\System32\drivers\GBFSHook.sys [2004-08-13 11:26]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [2004-08-30 22:38]
S3 SDdriver;SDdriver;C:\WINDOWS\System32\Drivers\sddriver.sys [2004-08-30 22:23]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 17:08:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-19 19:08:34 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1129745133.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 1300 series#1129745133
"2008-02-01 22:20:25 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe)/scan-full /scheduleignorenav /scheduled&C:\Program Files\Norton Security Scan
"2008-01-28 21:19:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-05 05:00:11 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 12:59:14
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-05 13:00:03
ComboFix-quarantined-files.txt 2008-02-05 17:59:49
ComboFix2.txt 2008-02-05 16:18:07
janegard810
2008-02-05, 20:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:20 PM, on 2/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\janegard.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answers.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.kaspersky.com
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunei.mht!http://adgate.info/zscript/dial.chm::/d2.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: vtstt - C:\WINDOWS\System32\vtstt.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9203 bytes
Hi
Let's check this next just in case:
Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) and save it to your desktop
* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.
**Do not run any other option unless directed to do so.**
janegard810
2008-02-05, 20:42
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Tue 02/05/2008
The current time is: 13:30:00.19
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\APOINT2K\BAK
10/07/2003 10:40 PM 159,744 Apoint.exe
1 File(s) 159,744 bytes
Directory of C:\PROGRA~1\IPEE\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\NORTON~1\BAK
09/09/2004 09:12 PM 132,248 cfgwiz.exe
1 File(s) 132,248 bytes
Directory of C:\PROGRA~1\PICASA2\BAK
06/15/2007 06:15 PM 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
10/19/2005 09:15 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
11/15/2003 08:00 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
04/13/2006 12:20 PM 59,040 ccApp.exe
1 File(s) 59,040 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
06/26/2003 05:50 PM 212,992 hpcmpmgr.exe
1 File(s) 212,992 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
06/25/2003 10:24 AM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK
07/17/2003 12:50 PM 184,412 cpqset.exe
1 File(s) 184,412 bytes
Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK
11/18/2003 07:31 AM 241,664 EabServr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK
04/05/2004 04:33 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK
11/28/2005 05:35 PM 155,648 qttask.exe
1 File(s) 155,648 bytes
Directory of C:\PROGRA~1\REAL\REALPL~1\BAK
08/25/2006 04:52 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes
Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK
11/10/2004 11:15 PM 111,816 ViewMgr.exe
1 File(s) 111,816 bytes
Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~3\BAK
11/21/2005 05:57 PM 140,880 FotomatDeviceConnect.exe
1 File(s) 140,880 bytes
Directory of C:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
06/24/2007 09:34 PM 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK
03/27/2006 10:57 AM 126,104 IPHSend.exe
1 File(s) 126,104 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
10/15/2006 07:52 PM 185,784 realsched.exe
1 File(s) 185,784 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK
11/02/2004 03:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\10720~1.415\BAK
09/01/2006 10:59 PM 156,408 GoogleToolbarNotifier.exe
1 File(s) 156,408 bytes
Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK
10/18/2005 11:54 PM 32,881 jusched.exe
1 File(s) 32,881 bytes
Directory of C:\PROGRA~1\COMMON~1\AOL\112973~1\EE\BAK
04/13/2006 03:36 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
159744 Oct 7 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
267048 Dec 11 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 26 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
116008 Dec 11 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
120464 Sep 24 2005 "C:\Program Files\Norton Internet Security\CfgWiz.exe"
132248 Sep 9 2004 "C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe"
120464 Sep 23 2005 "C:\Program Files\Norton Internet Security\Norton AntiVirus\CfgWiz.exe"
476984 Jun 15 2007 "C:\Program Files\Picasa2\PicasaUpdate.exe"
366400 Jun 15 2007 "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
493384 Jun 15 2007 "C:\Program Files\Picasa2\cdautorun\PicasaRestore.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\QTTask.exe"
155648 Nov 28 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
100056 Oct 19 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
335872 Nov 15 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
212992 Jun 26 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Jun 25 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
184412 Jul 17 2003 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
241664 Nov 18 2003 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
99480 Apr 5 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\QTTask.exe"
155648 Nov 28 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
214448 Oct 15 2006 "C:\Program Files\Real\RealPlayer\realplay.exe"
26112 Aug 25 2006 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
111816 Nov 10 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
140880 Nov 21 2005 "C:\Program Files\Viewpoint\Viewpoint Toolbar V35\bak\FotomatDeviceConnect.exe"
45760 Jun 24 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Jun 24 2007 "C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
126104 Mar 27 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
185784 Oct 15 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
799864 Aug 14 2006 "C:\Documents and Settings\Kevin M. Gardner\My Documents\GoogleToolbarInstaller.exe"
69632 Feb 14 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Mar 29 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
583696 Oct 15 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
136952 Mar 29 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
156408 Sep 1 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\bak\GoogleToolbarNotifier.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
32881 Oct 18 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
50792 Apr 13 2006 "C:\Program Files\Common Files\AOL\1129736985\ee\bak\AOLSoftware.exe"
end of report
Hi
Yes, no awf.
Open HijackThis, click do a system scan only and checkmark these:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunei.mht!http://adgate.info/zscript/dial.chm::/d2.exe
O20 - Winlogon Notify: vtstt - C:\WINDOWS\System32\vtstt.dll (file missing)
Close all windows including browser and press fix checked,
Reboot.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note: This scanner will work with Internet Explorer Only!
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
janegard810
2008-02-05, 21:42
Hello Shaba,
I am trying to run the kaspersky online virus scan and when I click on it I get the message:
"You current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly."
I have tried to change my security settings and even tried to put Kaspersky into the trusted zone and I am still getting this message. Any suggestions??
Thanks,
Jane
Hi
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
Go to http://support.f-secure.com/enu/home/ols.shtml
Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.
Notes:
This scan will only work with Internet Explorer
You must have administrator rights to run this scan
This scan can take several hours, so please be patient
janegard810
2008-02-07, 07:04
Scanning Report
Wednesday, February 06, 2008 22:39:32 - 23:45:06
Computer name: KEVIN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
--------------------------------------------------------------------------------
Result: 105 malware found
DLoader.CJNO (virus)
C:\PROGRAM FILES\MOZILLA FIREFOX\CLIENTAPP1083.EXE
Exploit.HTML.Mht (virus)
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080205-140239-883 (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\21DE3522.HTM (Renamed & Submitted)
Packed.Win32.Morphine.a (virus)
C:\WINDOWS\UPDATE2.HTML (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4D727B42.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\520E0019.DLL (Submitted)
Packed.Win32.Tibs (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0FCA133B.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\29B77D45.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\29B91B59.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\3ECF7F02.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\3ED87CF7.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\49E34478.EXE (Submitted)
Spyware.Safesurfing (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
Trojan-Clicker.Win32.Delf.hj (virus)
C:\PROGRAM FILES\MOZILLA FIREFOX\CLICK.EXE (Renamed & Submitted)
Trojan-Clicker.Win32.VB.lb (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2019093A.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\39481BEA.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\394B45E6.EXE (Renamed & Submitted)
Trojan-Clicker.Win32.VB.re (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\594A7E23.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\5E003C62.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.agw (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\00961582.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.awf (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0EC635BE.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0FC605B5.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\1A49791E.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\203323C9.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\209A5CD6.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\25DA351D.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\27BA2ED1.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2C5B185A.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\316A711B.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\38840CEB.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\44AC017B.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4F461DB9.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\50053E28.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\50456DB1.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\54343C69.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\54386665.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\543B1062.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\543E3A5E.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\5441645B.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\54450E57.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\6011571D.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\6BA2131C.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\784F4D7F.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.axh (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\13662632.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.bls (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\04501915.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Bomka.r (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\68EA1219.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.PurityScan.be (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\68EE3C15.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Qoologic.at (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\6C3A588A.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7524514B.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Qoologic.bj (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\563D4629.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\58340D55.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7A2F1F15.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Qoologic.c (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2BD33703.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.buy (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2BB95A15.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.bve (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0E4C0BCF.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\13637C35.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.ept (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\164F0AFE.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\165F5CEC.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\1E242E12.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.fjp (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4A085F61.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4AE03274.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Tibs.eq (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4EAC047C.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\731B6C64.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Tibs.fc (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4EB35874.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\731E1661.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Tiny.hj (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\3CDB72A7.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.ahq (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\10E02CF9.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\59881BDF.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\645A269C.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.asx (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\16B4208F.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.VB.att (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0E5933C1.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.tw (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0EEB0C86.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\51FC5E43.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7521274E.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7531793D.EXE (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.abb (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\00926B86.EXE (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.bfr (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\599219D4.EXE (Renamed & Submitted)
Trojan-Dropper.Win32.Small.qn (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\035B5087.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\752E4F40.EXE (Renamed & Submitted)
Trojan-Proxy.Win32.Privoxy-based.a (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\058059C7.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\238C0747.EXE (Renamed & Submitted)
Trojan-Spy.Win32.BZub.is (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0E5C5DBD.EXE (Renamed & Submitted)
Trojan-Spy.Win32.VBStat.h (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\16555EF7.DLL (Renamed & Submitted)
Trojan.Win32.Agent.avd (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2FBE5915.EXE (Renamed & Submitted)
Trojan.Win32.Agent.bxj (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\223E6094.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2DF7367A.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2E0E5C61.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2E11065D.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2E185A56.EXE (Renamed & Submitted)
Trojan.Win32.BHO.ab (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\597849F1.EXE (Renamed & Submitted)
Trojan.Win32.Kolweb.b (virus)
C:\WINDOWS\SYSTEM32\DURVILY.DLL (Renamed & Submitted)
Trojan.Win32.Kolweb.l (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\145B562E.DLL (Renamed & Submitted)
Trojan.Win32.Small.mi (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\67A662E0.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\696F58E9.EXE (Renamed & Submitted)
Trojan.Win32.Small.uf (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\28F56DB8.EXE (Renamed & Submitted)
Trojan.Win32.VB.tg (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\51FF0840.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\735D69AF.EXE (Renamed & Submitted)
W32/Malware.PUG (virus)
C:\PROGRAM FILES\MOZILLA FIREFOX\BSHOW.EXE (Submitted)
Win32.TrojanDownloader.Agent (spyware)
System (Disinfected)
not-virus:Hoax.Win32.Renos.fn (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\651B3D9F.EXE (Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 30543
System: 4350
Not scanned: 5
Actions:
Disinfected: 3
Renamed: 85
Deleted: 0
None: 17
Submitted: 97
Files not scanned:
C:\GOBACKIO.BIN
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{B489A8CF-528A-4B65-9FAE-C0A18B361758}.BIN
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2008-02-06
F-Secure AVP: 7.0.171, 2008-02-07
F-Secure Orion: 1.2.37, 2008-02-06
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2008-01-28
F-Secure Pegasus: 1.19.0, 2008-01-04
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXJPG SWF
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
janegard810
2008-02-07, 07:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:19 AM, on 2/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\KEVINM~1.GAR\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\KEVINM~1.GAR\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\janegard.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answers.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.kaspersky.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: *.kavwebscan
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8477 bytes
Hi
Empty this folder:
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE
Delete these if present:
C:\WINDOWS\SYSTEM32\DURVILY.DLL
C:\PROGRAM FILES\MOZILLA FIREFOX\BSHOW.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\CLIENTAPP1083.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\CLICK.EXE
Empty Recycle Bin.
Still problems?
janegard810
2008-02-08, 15:50
Hello Shaba,
I can't find the folder you suggested I delete.
If I do a search for "quarantine" I only come up with quarantine files in "qoobox" -- it looks like those files are associated with combo fix.
I am thinking of using the norton removal tool and removing all of my norton stuff and using the avg antivirus that is free on line -- what do you think of that idea??
This is my son's computer and he is away at college and it seems that if norton hangs up he just turns it off and runs with no virus protection.
Thanks so much for all of your assistance.
Jane
Hi
If Norton is up-to-date, there is very little reason to uninstall it.
However, if you really want to do it, of course I can assist you.
As for that folder, see here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
and tell me if you can find it now :)
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.