View Full Version : hjt Log - undetected adware possible?
Logfile of HijackThis v1.99.1
Scan saved at 1:33:43 PM, on 3/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\shicoxp.exe
C:\WINNT\caxchg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\AuntysPie\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINNT\system32\cbxww.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [shicoxp] C:\WINNT\shicoxp.exe
O4 - HKLM\..\Run: [caxchg] C:\WINNT\caxchg.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: cbxww - C:\WINNT\system32\cbxww.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I have been having weird pop-ups and now I am sometimes unable to pull up sites in my browser even though I still have an established internet connection. Pages simply quit loading. I imagine something is trying to redirect my browser and when my antispyware program won't let it, then it just goes to "page not found." Anything here look suspicious? Neither Norton Antivirus, SpyBot or AdAware could find anything. Ewido seemed to find some tracking cookies but after 2 hours of online scanning, the browser window suddenly closed.
Any help would be appreciated.
shelf life
2006-03-21, 01:22
hi Cindylu,
ok, need one more download (VundoFix.exe), also check for any updates to ewdio and your antivirus, spybot and ad aware. just read through this about ewido
-------------------------------
Download VundoFix.exe to your desktop:
http://www.atribune.org/ccount/click.php?id=4
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click YES.
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will shutdown your computer, click OK.
7. Turn your computer back on.
The ewido security suite is now known as ewido anti-malware. If additional information is needed, click A Quick Guide.
1. Please download and install ewido anti-malware v3.5. If ewido finds something that you KNOW is legitimate (watch for alerts that have the word "Heuristic" in them - these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.
2. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
3. Launch ewido by double-clicking the "e" icon on your desktop.
4. The program will now go to the main screen.
5. You will need to update ewido to the latest definition files.
1. On the left hand side of the main screen click "Update".
2. Then click on "Start Update".
3. The update will begin and a progress bar will show the updates being installed. If you are having problems with the updater, click Update ewido.
4. After the update finishes, the status bar at the bottom will display "Update successful".
6. After the updates are installed, click on Scanner and select "Settings".
1. Under the bottom section "What to Scan?" select "Scan every file".
2. Select "OK" and you will return to scanning options.
7. Click on "Complete System Scan". This can take a while to complete so please be patient.
8. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose "clean", then CHECK or UNCHECK "Perform action on all infections" and click "OK". Note: You will have to watch the scan all the way through and delete items manually.
9. After the scan has completed, ewido will create a report.
10. There will be a button located on the bottom of the screen named "Save report". Click "Save report" [to your desktop].
11. Exit ewido anti-malware when done.
12. Note: ewido is a free trial product for 14 days. Since ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan by clicking on Update and Start Update.
Please post the contents of C:\vundofix.txt, the ewido anti-malware log and a new HijackThis log.
--------------------------------
also run your antivirus app and spybot and adaware.
shelf life
Okay, I just got your reply and I will go ahead and download the vundo removal tool.
I did, however, just finish a 2 1/2 hour ewido scan. It found a LOT of tracking cookies and a couple other things. I would like to post the log here but I am unable to because it is too long. I also tried to attach the log and that was too long also so I guess I am out of luck with that.
It seems it cleaned some files (I did sit and delete them one by one) but it said for many others there were errors deleting them.
There were over 2000 tracking cookies. Funny thing is AdAware only detected 40 yesterday.
Here is the .txt file that vundofix generated:
VundoFix V4.2.35
Checking Java version...
Scan started at 7:47:08 PM 3/20/2006
Listing files found while scanning....
C:\WINNT\system32\cbxww.dll
C:\WINNT\system32\wwxbc.ini
C:\WINNT\system32\wwxbc.bak2
C:\WINNT\system32\wwxbc.ini2
C:\WINNT\system32\wwxbc.tmp
C:\WINNT\system32\wwxbc.ini2
C:\WINNT\system32\wwxbc.bak2
C:\WINNT\system32\wwxbc.tmp
C:\WINNT\system32\wwxbc.ini
C:\WINNT\system32\wwxbc.ini2
C:\WINNT\system32\cbxww.dll
Attempting to delete C:\WINNT\system32\cbxww.dll
C:\WINNT\system32\cbxww.dll Has been deleted!
Attempting to delete C:\WINNT\system32\wwxbc.ini
C:\WINNT\system32\wwxbc.ini Has been deleted!
Attempting to delete C:\WINNT\system32\wwxbc.bak2
C:\WINNT\system32\wwxbc.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\wwxbc.ini2
C:\WINNT\system32\wwxbc.ini2 Has been deleted!
Attempting to delete C:\WINNT\system32\wwxbc.tmp
C:\WINNT\system32\wwxbc.tmp Has been deleted!
Performing Repairs to the registry.
Done!
Looks like you were right! I will continue to run the rest of the scans but I'm guessing Vundo was my main problem here. I was infected with it back in October and eventually had to contact Symantec to have it removed because THEIR removal tool did not work. Looks like this one did work but I will scan again just to be sure.
Thanks for your help and I'll post my results when I'm done scanning. It may take a while.
Cindylu
shelf life
2006-03-21, 05:24
hi Cindylu,
good, you can edit out the tracking cookies in ewido and just post the rest
of the log. also post a new hjt log.........
-----------------
Okay, I will post the hjt log here since I just ran that. I'll have to run the ewido scan again now but that will take a couple of hours.
Can I just go in and delete the cookies.txt files that ewido was unable to delete? Some of them it said there was an error during cleaning and when I did an ewido scan of just the one cookie folder it still couldn't clean them. Can I just manually delete the cookies.txt file?
Anyway, here is my hjt log now:
Logfile of HijackThis v1.99.1
Scan saved at 9:17:04 AM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\shicoxp.exe
C:\WINNT\caxchg.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
C:\AuntysPie\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - (no
file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 -
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} -
C:\Program Files\Norton Internet Security\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus -
{C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton
Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [shicoxp] C:\WINNT\shicoxp.exe
O4 - HKLM\..\Run: [caxchg] C:\WINNT\caxchg.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -
Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI -
{669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
(file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A}
- http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -
http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)
- https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec
AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish
Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.c
ab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class)
- http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec
Download Bridge) -
https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-
img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.c
ab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj
Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file
missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec
Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation
(ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton
Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation -
C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -
C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) -
Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton Internet
Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation -
C:\Program Files\Norton Internet Security\Norton
AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
One more question....for some reason the following line in the hjt seems to "ring a bell" with me:
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
Is wvuss.dll a common windows file? Or is this some variant of vundo? I can't seem to find any info on this file anywhere or what it does. Maybe I'm just getting paranoid here.
Thanks again for your time.
shelf life
2006-03-22, 05:35
hi Cindylu,
we can delete cookies another way, but yes you could delete all the cookies in the folder. hopefully the vundoFix took care of that file (wvuss.dll)
ok this time we will use hjt, then boot into SAFE MODE.
but first disable spybots teatimer for now so it dosnt stop the changes, to disable teatimer:
Spybot S&D (Teatimer)
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
------------------
next:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - (no
file)
O4 - HKLM\..\Run: [shicoxp] C:\WINNT\shicoxp.exe
O4 - HKLM\..\Run: [caxchg] C:\WINNT\caxchg.exe
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file
missing)
-------------------------
now time to boot into safe mode:
you might want to copy/paste the rest of this to notepad and save it so you can read it in safe mode.
you reach safe mode by tapping the f8 key during a computer restart. chose the first option from the list: safe mode.
once at the desktop do this:
start>settings>Control Panel> click the Internet options icon
Next:
Click on Delete Cookies.
Click on Delete Files, Make sure Delete all offline content is checked and then click on OK
Then click on Settings, then click on View Files if there is any thing in there, delete what you can
(edit>select all--- then file>delete)
Then at the top in the address bar, at the end where it says:
\Temporary Internet Files
change it to just read: \Temp then hit enter and delete what you can.
Go to:
Start> Run
And type this in:
C:\windows\prefetch
Once this is open Delete everything thats in the folder.
------------------------
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------
reboot computer normally, rescan and post anew hjt log.
Okay, here is my ewido log which I have cut down because it was so long with all the tracking cookies that could not be cleaned:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:15:55 PM, 3/21/2006
+ Report-Checksum: D3DA5B5
+ Scan result:
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Program Files\support.com\backup\Co\cookies.txt\105655_5d08f61d8_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.47:C:\Program Files\support.com\backup\Co\cookies.txt\105655_5d08f61d8_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
:mozilla.48:C:\Program Files\support.com\backup\Co\cookies.txt\105655_5d08f61d8_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning
(and here there was listed a bunch more Tracking Cookies. I cut here to shorten this log because it was too long)
:mozilla.723:C:\Program Files\support.com\backup\Co\cookies.txt\92252_5c4e033d2_/cookies.txt -> TrackingCookie.Esomniture : Error during cleaning
:mozilla.724:C:\Program Files\support.com\backup\Co\cookies.txt\92252_5c4e033d2_/cookies.txt -> TrackingCookie.Coremetrics : Error during cleaning
C:\RECYCLER\S-1-5-21-1531248536-2345893527-723901669-1003\Dc155.exe/ClientAX.dll -> Adware.180Solutions : Cleaned with backup
C:\RECYCLER\S-1-5-21-1531248536-2345893527-723901669-1003\Dc155.exe/ClientAX.dll -> Adware.180Solutions : Cleaned with backup
C:\RECYCLER\S-1-5-21-1531248536-2345893527-723901669-1003\Dc156.exe/F0000031.DAT -> Adware.IGetNet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1531248536-2345893527-723901669-1003\Dc98.exe/ClientAX.dll -> Adware.180Solutions : Cleaned with backup
C:\RECYCLER\S-1-5-21-1531248536-2345893527-723901669-1003\Dc98.exe/ClientAX.dll -> Adware.180Solutions : Cleaned with backup
::Report End
So, besides this I have provided the Vundofix.txt, the new HijackThis log and I have also run a Norton AntiVirus, SpyBot and AdAware......all of which were clean.
I would like to know if this means my computer is clean now. I don't understand why Norton never detected Vundo. I ran a Viruscan right before I found out I had it but it never detected it. Same thing happened the last time I had that same trojan. Am I safe now? I'd really like to file my tax return so I want to make sure I've got this thing out of here now.
Also, I don't think I have a keystroke logger but if I ever thought I did, what would be the signs of one in a HijackThis log? I just wondered if it might be a good idea to run a HijackThis scan each time before using my Paypal and/or online banking.
Oops..........sorry. I didn't see your last post before I posted my last one here.
No, the Vundofix did not delete the wvuss.dll file or at least I can still see it in the new hjt log. I'll follow through with what you instructed in your last post now and then I'll post a new hjt.
Thanks again.
Okay, I did everything you instructed in your last post. Everything went fine except I could not get rid of the following:
020 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
You can see it in the hjt log which I ran just now:
Logfile of HijackThis v1.99.1
Scan saved at 11:35:29 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\AuntysPie\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
There is another logon file here called igfxsrvc.dll, is this a bad file as well? I noticed in hjt they said something about getting rid of the 020 Winlogon Notify files by using "delete file on reboot" or something called Killbox. Can you give me any information on either of those? Is that what I need to get rid of this wvuss.dll?
Thank you again for all your help so far.
shelf life
2006-03-22, 12:39
hi Cindylu,
good. ok that 020 item: wvuss.dll (file missing), It may or may not be gone. the file missing part might be right.
what you can do is manually go to the C:\WINNT\system32 dir. click on name at the top to sort, then see if you can find the wvuss.dll file.
or open hjt click on 'open misc tools section" then click on "delete a file on reboot" copy/paste in>> C:\WINNT\system32\wvuss.dll
select open, then you will be prompted to reboot computer.
the other one is (O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll) is ok.
-----------------------
for fire fox set the options for cookie handling like this:
tools>options>privacy tab>check "allow sites to set cookies" check "for the originating site only" "keep cookies:" until i close firefox.
---------------------
try that, have to go to work now will post back about the keylogger in next reply....
Okay, I tried to find the wvuss.dll in system32 and it did not appear to be there. I have it set so that it should show all hidden files, but I just didn't see it. I also went to hjt and did the "delete the file on reboot" but when I ran a new scan, the line showed up as before as you can see in what follows.
Is this perhaps a command line that is no longer functional because the .dll file has been removed? So that would mean the trojan can't run? Can I go into the Registry Editor and delete this command? Or is it somewhere else?
Anyway, here is the most recent hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 7:43:28 AM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
C:\WINNT\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AuntysPie\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 -
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} -
C:\Program Files\Norton Internet Security\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus -
{C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton
Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI -
{669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
(file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A}
- http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -
http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)
- https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec
AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish
Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.c
ab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class)
- http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec
Download Bridge) -
https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-
img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.c
ab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj
Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file
missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec
Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation
(ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton
Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation -
C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -
C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) -
Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton Internet
Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation -
C:\Program Files\Norton Internet Security\Norton
AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
As always, thank you for your time and patience.
Cindylu
I did want to report that I found the command for accessing the wvuss.dll file in the Registry Editor. Path is:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\wvuss
There are actually a number of files in the Notify folder. I'm wondering how I can tell if they are legit. Also, is it okay to just delete the folder wvuss from the registry? I don't want to do any registry deletion unless I know for sure.
shelf life
2006-03-23, 02:10
hi Cindylu,
keystroke logger but if I ever thought I did, what would be the signs of one in a HijackThis log
hjt is great for showing processes and where they might be, but it dosnt show everything. a keylogger might show up in a hjt log as a 04 or 023 item, but it might not. some malware is capable of hiding very well. the best thing to do is scan with your apps ocassionaly after updating them.
that registry entry is just a leftover. i dont see any harm in deleting it. (I would back up the registry first) the other items in there i would " google them". i would say you are good to go now.
it looks like you have used msconfig to disable some startup items. if you want recheck them reboot once and you can post another hjt log just to make sure something else dosnt show in the log, unless your sure of what you disabled isnt malware. up to you.
see this link about Java:
http://forums.spybot.info/showthread.php?t=2559
The items I have disabled using msconfig are ones I've had disabled for a long time. It's things like MusicMatch Jukebox, Hotsync, Realplayer Update, stuff like that, that saps resources and that I really only want to use on demand.
I will go through the list, though and see if there is anything that I think needs checked out, then I'll run another hjt log.
I'll take your advice and "google" those other registry entries.
Thanks, I'll post my log after I've done the above.
Hi shelf life
I googled the first item and guess what? It lead me here:
http://forums.spybot.info/showthread.php?t=2600
Guess that's just another testimony as to what a great forum this is!
Everything I thought looked suspicious was listed there so it would appear they are all normal for XP.
Oh and I also wanted to tell you that after reading a few other threads this afternoon, I did uninstall my old Java version completely and installed the new one.
So I will run the new hjt log in the morning but I think I'm probably in pretty good shape now. At least good enough to get some sleep!
Will be back in the a.m.
Cindylu
Okay, I thought things were going great until I ran a Pandascan.
Here is that log...
Incident Status Location
Adware:adware/keenvalue Not disinfected C:\WINNT\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/igetnet Not disinfected C:\WINNT\SYSTEM\rules.dat
Adware:adware/cws Not disinfected C:\Documents and Settings\Owner\Favorites\Health
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@64.62.232[3].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c3.gostats[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[1].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\Owner\Cookies\owner@empnads[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@offeroptimizer[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt
Spyware:Cookie/Servlet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@servlet[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Cookies\owner@toplist[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tucows[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@uol.com[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.affiliatefuel[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\55k8n0ks.Cindylu\cookies.txt[.realmedia.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\55k8n0ksbu.Cindylu\cookies.txt[.go.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\55k8n0ks.Cindylu\cookies.txt[]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\55k8n0ksbu.Cindylu\cookies.txt[]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@64.62.232[3].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c3.gostats[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[1].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\Owner\Cookies\owner@empnads[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@offeroptimizer[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt
Spyware:Cookie/Servlet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@servlet[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Cookies\owner@toplist[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tucows[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@uol.com[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.affiliatefuel[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@go[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\105655_5d08f61d8_[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\105655_5d08f61d8_[11042824]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\105655_5d08f61d8_[]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\29049_5a6c022c0_[]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\29049_5fd287b3d_[]
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\3268_50ee7fc8e_[]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\48447_57f57f36f_[]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\48447_57f57f36f_[dcsk77fcb2ag4x39a3dv5q9cb_8n5e]
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\48447_57f57f36f_[]
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\55705_57ab59659_[]
Spyware:Cookie/go Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\5848_576d24572_[]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\66962_5634657df_[]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\88034_512471509_[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\88034_512471509_[11042824]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\88034_512471509_[]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\88230_511455e43_[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\88230_511455e43_[11042824]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\88230_511455e43_[]
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\92252_5c4e033d2_[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\92252_5c4e033d2_[11042824]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\Co\cookies.txt\92252_5c4e033d2_[]
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\fccbb.dll
I went and looked for the fccbb.dll file that they are saying is virtumonde and it is NOT there. I wonder if this could be a leftover from when I had Vundo last October. I had to have Symantec help me delete Vundo manually and I am thinking this fccbb.dll file and the wvuss key that I can't seem to delete are leftover from that. If they are leftover and can't be deleted, can I still be safe?
And here is a fresh hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 11:35:42 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\AuntysPie\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Okay, I have to run but I will check back later. Just can't figure out why that .dll file is supposed to be in WINNT/System32 and it just isn't there.
shelf life
2006-03-24, 02:02
hi Cindylu,
looks like ewido flagged mostly cookies. they are pretty much harmless.
you can dump them tools>internet options>delete cookies
you might also want to try two free apps that will do it for you plus do other things also:
http://www.stevengould.org/software/cleanup/index.html
or
http://www.ccleaner.com/
------------------------
it is possible to have stray harmless leftovers. dlls are useless without a .exe
i think you are good to go, after we make new restore points.......shelf life
Hi shelf life,
It was actually the PandaScan that caught all those cookies and Virtumonde.
Since I couldn't find the fccbb.dll file in system32, and the vundofix.exe didn't find it so I did an ewido scan on just the system32 folder and sure enough, it detected Virtumonde file fccbb.dll. The good news is that it was able to get rid of it for me.
My concern is that ewido did NOT find that file the day before. So I'm a bit concerned as to why that would have just shown up suddenly. I've been trying to be careful and not do too much surfing the last couple of days but I did do some searches on Google and was doing some reading on Vundo/Virtumonde to try and learn more about it.........perhaps one of the sites was some kind of imposter that sent it back to me again. Or is there still something on my computer that's replicating itself?
The other thing is, no matter what I do, I cannot get that wvuss out of my registry. Just keeps saying it can't delete the key. I can't see the wvuss.dll file in system32, but then I couldn't see the fccbb.dll file in system32 either and it was there because ewido found it.
Anyway, I'm glad ewido found it the virtumonde file. Hopefully it was just that one file and hopefully the other one, the wvuss.dll file, isn't lurking around somewhere.
Anyway, here is my latest hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 8:34:39 PM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\AuntysPie\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\system32\wvuss.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Also, the adware that Panda found didn't look like much to me. The one hosts.bho looked empty and the file called rules.dat just had some code in it
like this: O>!!֑/$6Հj!x4%:.(wl
X?*1
So, I don't know if that's anything. Panda seemed to think it was something from igetnet but it just looks like scribble to me.
Anyway, my major concern is why did I get the Vundo/Virtumonde on Friday and then again this morning after I thought it was wiped out? Any thoughts as to why that would happen?
shelf life
2006-03-24, 06:00
hi Cindylu,
It was actually the PandaScan
my bad....
would have just shown up suddenly.
it was most likely there all along, ewido just missed it first time around, it dosnt hurt to run malware apps twice, espically if they find alot of malware first time around. to my knowledge ewido dosnt remove Vundo/Virtumonde. its also a good idea to use 2 malware removal apps.
i dont think just surfing is enough to get "it" , i think it comes as 3rd party add-ons to deliver ads/popups to the user.
there might (not a proven fact) be a relationship between running a older version of java and the malware.
v. J2SE 1.4.2_03
to see what version you have installed check here:
http://www.java.com/en/download/installed.jsp
the latest version is
1.5.0_06
--------------
also see this link:
http://forums.spybot.info/showthread.php?t=2559
Hi shelf life,
All good advice! I did download and install the newest version of Java yesterday. I made sure and removed all the old version as per instructions I found somewhere here.
Ewido claims it cleaned the infected virtumonde file. And the app you told me about, vundofix.exe cleaned out a number of files. So do you think that is sufficient to be able to conside me "clean?"
You said something in another post about making new restore points. I have had my system restore set to off so I wouldn't restore some virus. Should I just turn it back on? Is that what you mean by setting new restore points?
You have been such a great help! I actually think my computer is in better shape now than it was after I had Vundo in October and had the tech from Symantec walk me through deleting it manually. And they charged me $50!
Without all those prefetch files and other junk it's running a lot faster. Thanks again. :)
Cindylu
shelf life
2006-03-25, 01:38
hi Cindylu,
glad to help.
Vundo in October and had the tech from Symantec walk me through deleting it manually. And they charged me $50!
and this is the new version for which symantec dosnt have afix.
have had my system restore set to off so I wouldn't restore some virus. Should I just turn it back on?
yes you should be ok, turning it off and rebooting deletes old possibly malware archived restore points. you can turn it back on and reboot once to make a new clean restore point.
if everything is ok, i leave you with this:
Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
Also download, install and keep updated- Antivirus Software (and use only one):
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)
Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Internet Explorer Privacy & Security Settings (https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm)
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx)
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser.
Like Firefox (http://www.mozilla.org/products/firefox/),
And Pegasus Mail for a safer e-mail, no tweaking needed. (http://www.pmail.com/)
Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser.
look here (http://www.codecutters.org/outlook/)
and here (http://www.tames.net/security/oesettings.htm)
Install a firewall. A firewall will control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Microsoft XP firewall only provides inbound protection. SP2 adds in and out bound protection which is better than nothing, but is not as robust as third party firewalls, Be sure to run only >one< firewall.If you use another, be sure to disable XP's built in firewall. If you use Zone Alarm learn what needs/uses your internet connection. If something unusal or out of the ordinary "asks" deny it access until more investigation is done.
Zone Alarm (http://www.zonelabs.com/store/content/home.jsp)
Kerio (Sunbelt Kerio Personal Firewall)"Free Evaluation" (http://www.kerio.com/us/kpf_home.html)
Outpost Firewall (http://www.agnitum.com/products/outpost/)
Outpost Free Basic Firewall (http://www.agnitum.com/products/outpostfree/index.php)
Jetico Personal Firewall (http://www.jetico.com/index.htm#/jpfirewall.htm)
Tiny Firewall (http://www.tinysoftware.com/home/tiny2?s=5375286922906434776A0&&pg=content05&an=tf6_home)
BlackIce (http://www.digitalriver.com/dr/v2/ec_dynamic.main?SP=1&PN=10&sid=26412)
Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy (http://www.sunbelt-software.com/)Free trial version
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft AntiSpyware (beta version) (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.
Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
CleanUp (http://www.stevengould.org/software/CleanUp/index.html) cleans out temps,history, autoforms etc
AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Security Suite (http://www.ewido.net/en/)
Trojan Hunter (30 day trial version) (http://www.misec.net/)
Tauscan trial version (http://www.agnitum.com/products/tauscan/)
Learn More:
Browser Checkup (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes site (http://security-central.us/SafeHex/index.htm)
Home Computer Security (http://www.cert.org/homeusers/HomeComputerSecurity/)
Wilders Security Advisors (http://www.wilders.org/index.htm)
Watch what you download, and where you download it from. Many programs come bundled with extra software. You may be installing more than you think. Make sure you understand what it is you will be downloading and installing to your computer. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits?. Read the EULA agreement, you know, that paragraph of stuff you "agree to" before the software installs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. DO YOU TRUST THE SOURCE?
As the problem appears to be resolved this topic will be archived.:bigthumb:
If you need it re-opened please send me a pm and provide a link to the thread.
Glad we could help.