Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Vundo [RESOLVED]

Started by BG Runner , Jan 19 2008 12:22 PM

  • This topic is locked This topic is locked

#1
BG Runner
Posted 19 January 2008 - 12:22 PM

BG Runner

    Member

  • Member
  • PipPip
  • 60 posts
I have been plagued by the Trojan Vundo & various others which Norton Antivirus has picked up & quarantined and Spybot Search & Destroy has kept bringing up messages about registry changes & whether to allow these. I have followed your instructions in the "You Must Read This Before Posting A Hijack Log" section as best I can: ATF cleaner used successfully, created a System Restore Point, run a spyware scan with spybot Search & Destroy which only picked up a few things but had much greater success on downloading & running SUPERAntiSpyware which seemed to removed a lot of problems. However I still have the feeling that I have not fully cured the problem as on subsequently running SUPERAntiSpyware there are still Adware.vundo items being detected. Also have problems accessing one website in particular. The latest Norton Antivirus full system scan today shows no problems detected now. I cannot get the Panda ActiveScan to run from the website (does this matter?). Windows Updates are up to date.

Here is my HijackThis Log from today:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:42:34, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\YAHOO!\YOP\secstat.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\Yahoo!\NAV\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {216E7144-7477-4A10-9669-05C63D4FF176} - (no file)
O2 - BHO: (no name) - {385B80CA-0576-435C-9217-8225B9D3A277} - (no file)
O2 - BHO: (no name) - {3EB533AC-ADA1-493B-BE00-F56EE66E9EFB} - (no file)
O2 - BHO: (no name) - {4694eb69-25d3-424f-b22c-329f57a19166} - (no file)
O2 - BHO: (no name) - {4FD644CD-A918-4EA4-BDD9-E2815C3F56B2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C0CF230-2F9D-4AEA-ACBB-D61BAAC18673} - (no file)
O2 - BHO: (no name) - {77163234-DAD0-49FB-9D7F-0F9147E603BD} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B019061-AB37-4367-99EA-88ED050C62B2} - (no file)
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: (no name) - {CD8B1D3E-C0AF-49DA-BE35-61B154BE797C} - (no file)
O2 - BHO: (no name) - {FB56E452-1BB0-4D4D-90F2-8A9B8BCCBA7C} - (no file)
O2 - BHO: {00247306-3bf3-6729-ea04-9ff01b1b9fbf} - {fbf9b1b1-0ff9-40ae-9276-3fb360374200} - C:\WINDOWS\system32\kgiqiaeq.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140043808031
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadban...tivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxywvs - byxywvs.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10898 bytes

Also the HijackThis Uninstall list:

Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Apple Software Update
AudibleManager
Autograph 3.0
Bookshelf 99 ENG
BT Yahoo! Applications
CC_ccProxyExt
ccCommon
ccPxyCore
C-Media 3D Audio
Forerunner Logbook
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
InterActual Player
Internet Worm Protection
iPod for Windows 2005-02-07
iPod for Windows 2005-10-12
iPod for Windows 2005-11-17
iPod for Windows User Guide
iPod System Software Updater 2.0.1
iTunes
Macromedia Flash Player 8
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Interactive Training
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSRedist
MUSICMATCH iPod Plug-in
My Spelling Friend
NAVShortcut
Nero - Burning Rom
NETGEAR WG111v2 wireless USB 2.0 adapter
Norton AntiSpam
Norton AntiVirus 2006
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Internet Security
Norton Internet Security
Norton Personal Firewall
Norton Personal Firewall
Norton Personal Firewall
Norton Protection Center
Norton WMI Update
Norton WMI Update
PowerDVD
QuickTime
RealOne Player
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Shockwave
SMART Board Software
SPBBC
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Symantec
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast Ethernet Adapter
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Zoom Ethernet ADSL Modem
Zoom USB ADSL Modem
Zoom USB Network Adapter

Here is the latest SUPERAntiSpyware Log:

SUPERAntiSpyware Scan Log
Generated 01/19/2008 at 12:50 PM

Application Version : 3.6.1000

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 01:29:40

Memory items scanned : 471
Memory threats detected : 0
Registry items scanned : 4917
Registry threats detected : 0
File items scanned : 61558
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Firstec Customer\Cookies\firstec_customer@tradedoubler[2].txt
C:\Documents and Settings\Firstec Customer\Cookies\firstec_customer@atdmt[2].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\PQTSS.INI
C:\WINDOWS\SYSTEM32\PPQSS.INI

Here is the latest Spybot Search & Destroy log:

-- Report generated: 2008-01-04 22:53 ---

Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-10-14 unins000.exe (51.46.0.0)
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-10-04 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-12-12 Includes\Trojans.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2007-12-26 Includes\Hijackers.sbi (*)
2008-01-02 Includes\Cookies.sbi (*)
2008-01-02 Includes\Revision.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-01-02 Includes\TrojansC.sbi (*)
2008-01-02 Includes\SpybotsC.sbi (*)
2008-01-02 Includes\SecurityC.sbi (*)
2008-01-02 Includes\PUPSC.sbi (*)
2008-01-02 Includes\MalwareC.sbi (*)
2008-01-02 Includes\KeyloggersC.sbi (*)
2008-01-02 Includes\HijackersC.sbi (*)
2008-01-02 Includes\DialerC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

I hope I have given you enough information to finally resolve my problem.
  • 0

Advertisements

#2
Ryan
Posted 29 January 2008 - 02:23 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Welcome to Geekstogo! I'm Ryan, and I'll be helping you clean your computer.

Sorry for the delay in getting to your post, the malware forum is very busy.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

-Ryan
  • 0

#3
BG Runner
Posted 29 January 2008 - 04:35 PM

BG Runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Thanks for getting back to me, Ryan.
Combofix downloaded and run. After shutting down Windows on the first run here is the log of a re-run:

ComboFix 08-01-30.1 - Firstec Customer 2008-01-30 22:17:30.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT 0:00]
Running from: C:\Documents and Settings\Firstec Customer\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\ppqss.ini2
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\qstwa.ini
C:\WINDOWS\system32\qstwa.ini2
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\uttss.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 22:09 . 2008-01-30 22:09 <DIR> d--hs---- C:\FOUND.016
2008-01-19 15:35 . 2008-01-19 15:35 <DIR> d-------- C:\HijackThis
2008-01-13 22:06 . 2008-01-13 22:06 <DIR> d-------- C:\VundoFix Backups
2008-01-13 21:52 . 2008-01-13 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-09 22:30 . 2008-01-09 22:31 156 --a------ C:\_NIM4711.TMP
2008-01-04 23:12 . 2008-01-04 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-04 23:11 . 2008-01-04 23:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-04 23:11 . 2008-01-04 23:12 <DIR> d-------- C:\Documents and Settings\Firstec Customer\Application Data\SUPERAntiSpyware.com
2008-01-04 23:10 . 2008-01-04 23:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 22:08 . 2007-12-30 22:08 268 ---h----- C:\sqmdata19.sqm
2007-12-30 22:08 . 2007-12-30 22:08 244 ---h----- C:\sqmnoopt19.sqm
2007-12-28 19:39 . 2007-12-29 01:01 354 ---hs---- C:\WINDOWS\system32\tarmoovk.ini
2007-12-26 23:06 . 2007-12-27 19:31 354 ---hs---- C:\WINDOWS\system32\rcnapdjy.ini
2007-12-26 19:31 . 2007-12-26 19:31 268 ---h----- C:\sqmdata18.sqm
2007-12-26 19:31 . 2007-12-26 19:31 244 ---h----- C:\sqmnoopt18.sqm
2007-12-26 19:29 . 2007-12-26 19:29 268 ---h----- C:\sqmdata17.sqm
2007-12-26 19:29 . 2007-12-26 19:29 244 ---h----- C:\sqmnoopt17.sqm
2007-12-26 18:19 . 2007-12-26 18:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-26 17:15 . 2007-12-26 17:15 294 ---hs---- C:\WINDOWS\system32\ouamfewd.ini
2007-12-23 16:50 . 2007-12-23 22:28 354 ---hs---- C:\WINDOWS\system32\ekefqgre.ini
2007-12-23 14:44 . 2007-12-23 14:44 268 ---h----- C:\sqmdata16.sqm
2007-12-23 14:44 . 2007-12-23 14:44 244 ---h----- C:\sqmnoopt16.sqm
2007-12-22 13:37 . 2007-12-22 13:37 268 ---h----- C:\sqmdata15.sqm
2007-12-22 13:37 . 2007-12-22 13:37 244 ---h----- C:\sqmnoopt15.sqm
2007-12-19 19:47 . 2007-12-19 19:50 6,519 --ahs---- C:\WINDOWS\system32\ijkmp.ini
2007-12-19 19:36 . 2007-12-19 19:36 7,175 --a------ C:\WINDOWS\system32\vxpqbwbu.dll
2007-12-17 20:58 . 2007-12-17 20:58 268 ---h----- C:\sqmdata14.sqm
2007-12-17 20:58 . 2007-12-17 20:58 244 ---h----- C:\sqmnoopt14.sqm
2007-12-11 17:31 . 2007-12-11 17:31 244 ---h----- C:\sqmnoopt13.sqm
2007-12-11 17:31 . 2007-12-11 17:31 232 ---h----- C:\sqmdata13.sqm
2007-12-10 22:39 . 2007-12-10 22:39 39,936 --a------ C:\WINDOWS\system32\khffgfe.dll
2007-12-10 22:39 . 2007-12-10 22:39 244 ---h----- C:\sqmnoopt12.sqm
2007-12-10 22:39 . 2007-12-10 22:39 232 ---h----- C:\sqmdata12.sqm
2007-12-10 21:49 . 2007-12-10 21:49 <DIR> d--hs---- C:\FOUND.015
2007-12-10 21:34 . 2007-12-10 21:34 244 ---h----- C:\sqmnoopt11.sqm
2007-12-10 21:34 . 2007-12-10 21:34 232 ---h----- C:\sqmdata11.sqm
2007-12-10 21:31 . 2007-12-10 21:31 39,936 --a------ C:\WINDOWS\system32\efcbbca.dll
2007-12-10 20:54 . 2007-12-10 20:54 244 ---h----- C:\sqmnoopt10.sqm
2007-12-10 20:54 . 2007-12-10 20:54 232 ---h----- C:\sqmdata10.sqm
2007-12-10 20:14 . 2007-12-10 20:14 244 ---h----- C:\sqmnoopt09.sqm
2007-12-10 20:14 . 2007-12-10 20:14 232 ---h----- C:\sqmdata09.sqm
2007-12-10 20:04 . 2007-12-10 20:04 244 ---h----- C:\sqmnoopt08.sqm
2007-12-10 20:04 . 2007-12-10 20:04 232 ---h----- C:\sqmdata08.sqm
2007-12-10 18:05 . 2007-12-10 18:05 <DIR> d-------- C:\Documents and Settings\Lucy\Contacts
2007-12-01 15:45 . 2007-12-01 15:45 268 ---h----- C:\sqmdata07.sqm
2007-12-01 15:45 . 2007-12-01 15:45 244 ---h----- C:\sqmnoopt07.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 21:02 21,064 ----a-w C:\Documents and Settings\Rory\Application Data\GDIPFONTCACHEV1.DAT
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-16 22:25 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-04 00:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 14:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 14:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-26 21:18 21,064 ----a-w C:\Documents and Settings\Firstec Customer\Application Data\GDIPFONTCACHEV1.DAT
2007-08-22 18:01 6,976 ------w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2002-12-24 15:30 3,392 ----a-w C:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{216E7144-7477-4A10-9669-05C63D4FF176}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385B80CA-0576-435C-9217-8225B9D3A277}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3EB533AC-ADA1-493B-BE00-F56EE66E9EFB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4694eb69-25d3-424f-b22c-329f57a19166}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FD644CD-A918-4EA4-BDD9-E2815C3F56B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C0CF230-2F9D-4AEA-ACBB-D61BAAC18673}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77163234-DAD0-49FB-9D7F-0F9147E603BD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B019061-AB37-4367-99EA-88ED050C62B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD8B1D3E-C0AF-49DA-BE35-61B154BE797C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB56E452-1BB0-4D4D-90F2-8A9B8BCCBA7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fbf9b1b1-0ff9-40ae-9276-3fb360374200}]
C:\WINDOWS\system32\kgiqiaeq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"eyeBeam SIP Client"="C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 13:16 68856]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 17:38 1003520]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2006-08-31 16:01 448040]
"YBrowser"="C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-07 12:16 151597]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"Motive SmartBridge"="C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DJSNetCN"="C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe" [2006-02-02 18:54 54976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-02-23 11:41 67264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-08-03 02:04:44 565248]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 16:05:52 2297856]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxywvs]
byxywvs.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2004-03-29 06:45]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 22:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 23:42:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Firstec Customer.job"
- C:\PROGRA~1\Yahoo!\NAV\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 22:22:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\YAHOO!\YOP\secstat.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-01-30 22:25:32 - machine was rebooted [Firstec Customer]
ComboFix-quarantined-files.txt 2008-01-30 22:25:28
.
2008-01-08 23:01:22 --- E O F ---

Here is the HijackThis Log also:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:27:07, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\YAHOO!\YOP\secstat.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {216E7144-7477-4A10-9669-05C63D4FF176} - (no file)
O2 - BHO: (no name) - {385B80CA-0576-435C-9217-8225B9D3A277} - (no file)
O2 - BHO: (no name) - {3EB533AC-ADA1-493B-BE00-F56EE66E9EFB} - (no file)
O2 - BHO: (no name) - {4694eb69-25d3-424f-b22c-329f57a19166} - (no file)
O2 - BHO: (no name) - {4FD644CD-A918-4EA4-BDD9-E2815C3F56B2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C0CF230-2F9D-4AEA-ACBB-D61BAAC18673} - (no file)
O2 - BHO: (no name) - {77163234-DAD0-49FB-9D7F-0F9147E603BD} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B019061-AB37-4367-99EA-88ED050C62B2} - (no file)
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: (no name) - {CD8B1D3E-C0AF-49DA-BE35-61B154BE797C} - (no file)
O2 - BHO: (no name) - {FB56E452-1BB0-4D4D-90F2-8A9B8BCCBA7C} - (no file)
O2 - BHO: {00247306-3bf3-6729-ea04-9ff01b1b9fbf} - {fbf9b1b1-0ff9-40ae-9276-3fb360374200} - C:\WINDOWS\system32\kgiqiaeq.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140043808031
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadban...tivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxywvs - byxywvs.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10508 bytes

I await your further advice
  • 0

#4
Ryan
Posted 29 January 2008 - 05:29 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

-Ryan
  • 0

#5
BG Runner
Posted 30 January 2008 - 10:55 AM

BG Runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
As instructed. Here is the CF_RC log:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

BG Runner
  • 0

#6
Ryan
Posted 30 January 2008 - 10:31 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\tarmoovk.ini
C:\WINDOWS\system32\rcnapdjy.ini
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\ouamfewd.ini
C:\WINDOWS\system32\ekefqgre.ini
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\vxpqbwbu.dll
C:\WINDOWS\system32\khffgfe.dll
C:\WINDOWS\system32\efcbbca.dll
C:\WINDOWS\system32\kgiqiaeq.dll
C:\WINDOWS\system32\byxywvs.dll

Registry::
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{216E7144-7477-4A10-9669-05C63D4FF176}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385B80CA-0576-435C-9217-8225B9D3A277}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3EB533AC-ADA1-493B-BE00-F56EE66E9EFB}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4694eb69-25d3-424f-b22c-329f57a19166}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FD644CD-A918-4EA4-BDD9-E2815C3F56B2}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C0CF230-2F9D-4AEA-ACBB-D61BAAC18673}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77163234-DAD0-49FB-9D7F-0F9147E603BD}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B019061-AB37-4367-99EA-88ED050C62B2}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD8B1D3E-C0AF-49DA-BE35-61B154BE797C}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB56E452-1BB0-4D4D-90F2-8A9B8BCCBA7C}
-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fbf9b1b1-0ff9-40ae-9276-3fb360374200}



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

-Ryan
  • 0

#7
BG Runner
Posted 31 January 2008 - 11:00 AM

BG Runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
combofix.txt log:

ComboFix 08-01-30.1 - Firstec Customer 2008-02-01 16:50:58.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.141 [GMT 0:00]
Running from: C:\Documents and Settings\Firstec Customer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Firstec Customer\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\byxywvs.dll
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\efcbbca.dll
C:\WINDOWS\system32\ekefqgre.ini
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\kgiqiaeq.dll
C:\WINDOWS\system32\khffgfe.dll
C:\WINDOWS\system32\ouamfewd.ini
C:\WINDOWS\system32\rcnapdjy.ini
C:\WINDOWS\system32\tarmoovk.ini
C:\WINDOWS\system32\vxpqbwbu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\efcbbca.dll
C:\WINDOWS\system32\ekefqgre.ini
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\khffgfe.dll
C:\WINDOWS\system32\ouamfewd.ini
C:\WINDOWS\system32\rcnapdjy.ini
C:\WINDOWS\system32\tarmoovk.ini
C:\WINDOWS\system32\vxpqbwbu.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-31 16:53 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-31 16:53 . 2008-01-13 13:27 211 --a------ C:\Boot.bak
2008-01-30 22:09 . 2008-01-30 22:09 <DIR> d--hs---- C:\FOUND.016
2008-01-19 15:35 . 2008-01-19 15:35 <DIR> d-------- C:\HijackThis
2008-01-13 22:06 . 2008-01-13 22:06 <DIR> d-------- C:\VundoFix Backups
2008-01-13 21:52 . 2008-01-13 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-09 22:30 . 2008-01-09 22:31 156 --a------ C:\_NIM4711.TMP
2008-01-04 23:12 . 2008-01-04 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-04 23:11 . 2008-01-04 23:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-04 23:11 . 2008-01-04 23:12 <DIR> d-------- C:\Documents and Settings\Firstec Customer\Application Data\SUPERAntiSpyware.com
2008-01-04 23:10 . 2008-01-04 23:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-28 21:02 21,064 ----a-w C:\Documents and Settings\Rory\Application Data\GDIPFONTCACHEV1.DAT
2007-08-26 21:18 21,064 ----a-w C:\Documents and Settings\Firstec Customer\Application Data\GDIPFONTCACHEV1.DAT
2007-08-22 18:01 6,976 ------w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2002-12-24 15:30 3,392 ----a-w C:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"eyeBeam SIP Client"="C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 13:16 68856]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 17:38 1003520]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2006-08-31 16:01 448040]
"YBrowser"="C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-07 12:16 151597]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"Motive SmartBridge"="C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DJSNetCN"="C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe" [2006-02-02 18:54 54976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-02-23 11:41 67264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-08-03 02:04:44 565248]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 16:05:52 2297856]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxywvs]
byxywvs.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2004-03-29 06:45]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 22:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 23:42:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Firstec Customer.job"
- C:\PROGRA~1\Yahoo!\NAV\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 16:53:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-01 16:53:47
ComboFix-quarantined-files.txt 2008-02-01 16:53:44
ComboFix2.txt 2008-01-30 22:25:34
.
2008-01-08 23:01:22 --- E O F ---

Latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:52, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\YAHOO!\YOP\secstat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\microsoft money 2005\mnycorefiles\mnybbsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {216E7144-7477-4A10-9669-05C63D4FF176} - (no file)
O2 - BHO: (no name) - {385B80CA-0576-435C-9217-8225B9D3A277} - (no file)
O2 - BHO: (no name) - {3EB533AC-ADA1-493B-BE00-F56EE66E9EFB} - (no file)
O2 - BHO: (no name) - {4694eb69-25d3-424f-b22c-329f57a19166} - (no file)
O2 - BHO: (no name) - {4FD644CD-A918-4EA4-BDD9-E2815C3F56B2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C0CF230-2F9D-4AEA-ACBB-D61BAAC18673} - (no file)
O2 - BHO: (no name) - {77163234-DAD0-49FB-9D7F-0F9147E603BD} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B019061-AB37-4367-99EA-88ED050C62B2} - (no file)
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: (no name) - {CD8B1D3E-C0AF-49DA-BE35-61B154BE797C} - (no file)
O2 - BHO: (no name) - {FB56E452-1BB0-4D4D-90F2-8A9B8BCCBA7C} - (no file)
O2 - BHO: (no name) - {fbf9b1b1-0ff9-40ae-9276-3fb360374200} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140043808031
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadban...tivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxywvs - byxywvs.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10390 bytes

I hope this okay. Thanks for your help so far.

BG Runner
  • 0

#8
BG Runner
Posted 31 January 2008 - 11:52 AM

BG Runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Forgot to mention that I did not & have not rebooted after running latest Combofix and HijackThis. Do I need to?
  • 0

#9
Ryan
Posted 31 January 2008 - 01:38 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {216E7144-7477-4A10-9669-05C63D4FF176} - (no file)
O2 - BHO: (no name) - {385B80CA-0576-435C-9217-8225B9D3A277} - (no file)
O2 - BHO: (no name) - {3EB533AC-ADA1-493B-BE00-F56EE66E9EFB} - (no file)
O2 - BHO: (no name) - {4694eb69-25d3-424f-b22c-329f57a19166} - (no file)
O2 - BHO: (no name) - {4FD644CD-A918-4EA4-BDD9-E2815C3F56B2} - (no file)
O2 - BHO: (no name) - {6C0CF230-2F9D-4AEA-ACBB-D61BAAC18673} - (no file)
O2 - BHO: (no name) - {77163234-DAD0-49FB-9D7F-0F9147E603BD} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B019061-AB37-4367-99EA-88ED050C62B2} - (no file)
O2 - BHO: (no name) - {CD8B1D3E-C0AF-49DA-BE35-61B154BE797C} - (no file)
O2 - BHO: (no name) - {FB56E452-1BB0-4D4D-90F2-8A9B8BCCBA7C} - (no file)
O2 - BHO: (no name) - {fbf9b1b1-0ff9-40ae-9276-3fb360374200} - (no file)
O20 - Winlogon Notify: byxywvs - byxywvs.dll (file missing)

Close all open windows except for HiJack This and click fix checked.

Reboot your computer.


== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


== Clear System Restore==

Let's make a new restore point and clear the others:Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer


== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner
You will need to use Internet Explorer to do this

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

== Request Logs ==

Please post the log from the Kaspersky scan.

-Ryan
  • 0

#10
BG Runner
Posted 31 January 2008 - 04:39 PM

BG Runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Fix checked HijackThis items.
ATF Cleaner used.
New System Restore Point made.
Kaspersky Scan log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 01, 2008 10:20:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/01/2008
Kaspersky Anti-Virus database records: 541974
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 61124
Number of viruses found: 11
Number of infected objects: 42
Number of suspicious objects: 0
Duration of the scan process: 00:46:34

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe/WISE0004.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\RTacDbg.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A9BC6EB6-8BD7-432C-A059-2F3E3AAE1282}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-01_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63BE214A.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4973435F.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bnt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B722D90.tmp Infected: Trojan-Downloader.Win32.Delf.dgy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B967B68.tmp Infected: Trojan-Downloader.Win32.Delf.dgy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5BBA4941.tmp Infected: Trojan-Downloader.Win32.Delf.dgy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EB055FF.tmp Infected: Trojan-Downloader.Win32.Delf.dgy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\611F2951.exe Infected: Trojan-Downloader.Win32.Delf.dgy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\638C52A6.tmp Infected: Trojan-Downloader.Win32.Delf.dgy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\647477A7.tmp Infected: Trojan-Downloader.Win32.Delf.dgy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\59FA7C04 Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\019F4DCE.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\020E6154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A5F502D.DLL Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A6F221B.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18F44621.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18FA1A1A.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\193B61D2.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\194235CB.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\19BB4746.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73853A76.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bnt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73A33456.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bnt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73D00024.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bnt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BC45D83.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\023377B2.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14A2756A.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45EE004E.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43FB56B9.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E3902B1.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00B87CBC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B956D9F.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10995A63.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10C72630.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7DD23B9A.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\042C0452.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\101D6B79.IE5 Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20203FDB.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\204A61AC.IE5 Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Firstec Customer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\Temp\~DFED1.tmp Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\Temp\~DFEE8.tmp Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\Temp\Perflib_Perfdata_520.dat Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\History\History.IE5\MSHist012008020120080202\index.dat Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Firstec Customer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Firstec Customer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Firstec Customer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Firstec Customer\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Yahoo!\NAV\Savrt\0935NAV~.TMP Object is locked skipped
C:\Program Files\Yahoo!\NAV\Savrt\0815NAV~.TMP Object is locked skipped
C:\Program Files\Yahoo!\NAV\AVVirus.log Object is locked skipped
C:\Program Files\Yahoo!\NAV\AVApp.log Object is locked skipped
C:\Program Files\Yahoo!\NAV\AVError.log Object is locked skipped
C:\Program Files\SMART Board Software\SMARTBoardService.log Object is locked skipped
C:\System Volume Information\_restore{BF2E41C5-6F9B-4A16-AE80-40733B0D49FF}\RP25\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efcbbca.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\khffgfe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vxpqbwbu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped

Scan process completed.


At the end of the scan Norton Antivirus quarantined Backdoor.Trojan with details C:\Documents & Settings\Firstec Customer\Desktop\VirtumundeBeGone.exe. Should I delete this from the desktop????

BG Runner
  • 0

Advertisements

#11
Ryan
Posted 31 January 2008 - 04:53 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Things look good.

Yes, you can delete VirtumondeBeGone.exe.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

You should also clear out the Symantec Quarantine; please see the following page for information on how to do so: http://www.uwsp.edu/...vQuarantine.htm

How is the computer running?

-Ryan
  • 0

#12
BG Runner
Posted 31 January 2008 - 05:20 PM

BG Runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Done the house-keeping as suggested.

Cleared out the Symantec Quarantine.

Computer running well except I am still having difficulty accessing one particular website. Any suggestions?

Are there any particular things I should do to prevent re-infection?

Are there any things I can do to speed up the start-up? Should I be re-directed to another forum?

BG Runner
  • 0

#13
Ryan
Posted 31 January 2008 - 06:04 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
What is the error when you try to visit the website?

Post a new hijack this log, and I'll take a look at what can be stopped from starting when you log onto your computer.

-Ryan
  • 0

#14
BG Runner
Posted 01 February 2008 - 01:44 AM

BG Runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
There is no error message but the particular website is a bank website which I used to be able to get onto very easily. Do you need the web address? It just fails to load whereas all other websites tried load easily.

Here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:42:32, on 02/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\YAHOO!\YOP\secstat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140043808031
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadban...tivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9486 bytes

BG Runner
  • 0

#15
Ryan
Posted 01 February 2008 - 09:29 AM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Is it using a secure connection (is the first part of the address all the way on the left https:// instead of http://)?

Are you able to load the site from a different computer?

On your computer, are you able to access other sites that use secure connections?

-Ryan
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP