Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer / winantivirus [CLOSED]

Started by davidcrossley , Aug 17 2006 12:22 AM

  • This topic is locked This topic is locked

#1
davidcrossley
Posted 17 August 2006 - 12:22 AM

davidcrossley

    Member

  • Member
  • PipPip
  • 11 posts
Hi.

I'm trying tofix this winfixer / winantivirus trojen and have floowed the advice at http://www.geekstogo...showtopic=78841
but my HJT log does not have the entires
#

C:\WINDOWS\system32\ttutv.*
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\vtutt.dll
O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll

can anyone help?

with hanks david
  • 0

Advertisements

#2
Crustyoldbloke
Posted 17 August 2006 - 01:33 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello David

Please post a fresh HJT log from normal mode and I'll take a look. It is very unlikely that you will have the same Trojan as another member on your PC. Instructions for using HJT can be found in the topic CLICK HERE above, step 5.
  • 0

#3
davidcrossley
Posted 17 August 2006 - 01:47 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi CrustyOldMan

I'm at work now so not in front of my home PC anymore.

I will be home from work about 4.15 pm if you are around then to help that would be great.

Thanks for your reply, David
  • 0

#4
davidcrossley
Posted 17 August 2006 - 01:49 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi CrustyOldMan

I'm at work now so not in front of my home PC anymore.

I will be home from work about 4.15 pm if you are around then to help that would be great.

Thanks for your reply, David
  • 0

#5
Crustyoldbloke
Posted 17 August 2006 - 02:17 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I'll check it when you post it.
  • 0

#6
davidcrossley
Posted 19 August 2006 - 12:22 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
thanks

here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 06:54:23, on 8/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\HistorySweep\HSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Security Task Manager\taskman.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nero MediaHome] "C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://195.128.105.11/activex/AMC.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...on/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6ADC8EE-13E3-43C5-B5FF-B6A5BA3A947E}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HistorySweepService - Unknown owner - C:\Program Files\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TransBaseService - Unknown owner - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
  • 0

#7
davidcrossley
Posted 19 August 2006 - 12:35 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
hi. i decided to run Vundo one more time and this time it came back with errors (see the log below of what it removed) and then below that a new HJT log

VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 19:14:02 04/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 05:49:05 12/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.6

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 06:25:36 17/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 06:45:04 17/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.0

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 07:06:39 8/19/2006

Listing files found while scanning....


VundoFix V6.1.0

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 07:15:05 8/19/2006

Listing files found while scanning....

C:\WINDOWS\system32\bvejcjew.exe
C:\WINDOWS\system32\irnxirgc.exe
C:\WINDOWS\system32\nxkghtlp.exe
C:\WINDOWS\system32\pigrmlid.exe
C:\WINDOWS\system32\tomapvbx.exe
C:\WINDOWS\system32\uqqeknqu.exe
C:\WINDOWS\system32\xfauxvts.exe
C:\WINDOWS\system32\bvejcjew.exe
C:\WINDOWS\system32\irnxirgc.exe
C:\WINDOWS\system32\nxkghtlp.exe
C:\WINDOWS\system32\pigrmlid.exe
C:\WINDOWS\system32\tomapvbx.exe
C:\WINDOWS\system32\uqqeknqu.exe
C:\WINDOWS\system32\xfauxvts.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bvejcjew.exe
C:\WINDOWS\system32\bvejcjew.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\irnxirgc.exe
C:\WINDOWS\system32\irnxirgc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nxkghtlp.exe
C:\WINDOWS\system32\nxkghtlp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pigrmlid.exe
C:\WINDOWS\system32\pigrmlid.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tomapvbx.exe
C:\WINDOWS\system32\tomapvbx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uqqeknqu.exe
C:\WINDOWS\system32\uqqeknqu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xfauxvts.exe
C:\WINDOWS\system32\xfauxvts.exe Has been deleted!

Performing Repairs to the registry.
Done!





HJT


Logfile of HijackThis v1.99.1
Scan saved at 07:32:49, on 8/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\HistorySweep\HSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nero MediaHome] "C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://195.128.105.11/activex/AMC.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...on/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6ADC8EE-13E3-43C5-B5FF-B6A5BA3A947E}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HistorySweepService - Unknown owner - C:\Program Files\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TransBaseService - Unknown owner - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
  • 0

#8
Crustyoldbloke
Posted 19 August 2006 - 07:28 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello David and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans. Let’s see what we can do.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
combofix.exe

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close Ewido. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

  • In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.
There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck Ewido Security Suite log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please note that your log shows that you appear to have the latest Vundo variant that has the ability to hide from HJT. Please right click on hijackthis.exe and rename it to crusty.exe before doing the rescan.

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please).
  • 0

#9
davidcrossley
Posted 20 August 2006 - 12:55 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Crustyoldbloke

Thanks for your reply. I got to work with the actions you asked me tp perform and have the logs ready.

To answer your question this PC has two accounts, mine and my partner(hence why i can't always be online) and at present the guest account is enabled as we have visitors.

I didn't realise i was in such a bad way. I often run apps like spybot, adaware and pcbugdoctor. I also have norton AV running all the time and have weekly schd for a scan. I try to keep the registery upto date using Tuneup utilities so was al litttle surprised to read that i had a fair amount of malware and trojan anyway this promted me to be more grateful for for help. heres the logs

EWIDO
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:21:56 8/20/2006

+ Scan result:



C:\Documents and Settings\Guest\Local Settings\Temp\aekdkfsy.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\bycaalqw.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\mpgbferv.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa\Local Settings\Temp\amfvvthn.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa\Local Settings\Temp\jljekdej.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa\Local Settings\Temp\pgeckxfs.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa\Local Settings\Temp\pokaudqu.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa\Local Settings\Temp\sgaymdum.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\bvejcjew.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\irnxirgc.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\nxkghtlp.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\pigrmlid.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\tomapvbx.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\uqqeknqu.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\xfauxvts.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\Internet Downloads\EvID4226Patch223d-en(2).zip/EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
C:\Internet Downloads\EvID4226Patch223d-en.zip/EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
C:\unzipped\EvID4226Patch223d-en(2)\EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\David Again\Cookies\david [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\yrjtadqo.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).


::Report end

COMBOFIX
David Again - 06-08-20 7:30:43.40
ComboFix 06.08.18 - Running from: C:\Documents and Settings\David Again\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-20 to 2006-08-20 ))))))))))))))))))))))))))))))))))


2006-08-18 17:18 206,848 C:\WINDOWS\system32\ttutv.ini2
2006-08-17 06:01 502,272 C:\WINDOWS\system32\winlogon.exe
2006-08-14 06:51 86,016 C:\WINDOWS\unvise32.exe
2006-08-10 20:31 520,192 C:\WINDOWS\system32\ati2sgag.exe
2006-08-10 20:12 9,136 C:\WINDOWS\system32\INETWH16.DLL
2006-08-10 20:12 81,408 C:\WINDOWS\system32\LFFAX11N.DLL
2006-08-10 20:12 744,448 C:\WINDOWS\system32\LTANN11N.DLL
2006-08-10 20:12 74,240 C:\WINDOWS\system32\LFPCT11N.DLL
2006-08-10 20:12 66,560 C:\WINDOWS\system32\atiyuv12.dll
2006-08-10 20:12 59,392 C:\WINDOWS\system32\LFWMF11N.DLL
2006-08-10 20:12 56,832 C:\WINDOWS\system32\Iyvu9_32.dll
2006-08-10 20:12 56,320 C:\WINDOWS\system32\LFPSD11N.DLL
2006-08-10 20:12 47,104 C:\WINDOWS\system32\LFICA11N.DLL
2006-08-10 20:12 45,056 C:\WINDOWS\system32\atimiaaa.dll
2006-08-10 20:12 41,472 C:\WINDOWS\system32\LFGIF11N.DLL
2006-08-10 20:12 392,192 C:\WINDOWS\system32\LTKRN11N.DLL
2006-08-10 20:12 38,400 C:\WINDOWS\system32\LTTWN11N.DLL
2006-08-10 20:12 36,864 C:\WINDOWS\system32\LTWND11n.DLL
2006-08-10 20:12 36,864 C:\WINDOWS\system32\LFBMP11N.DLL
2006-08-10 20:12 35,840 C:\WINDOWS\system32\LFLMA11N.DLL
2006-08-10 20:12 35,328 C:\WINDOWS\system32\LFCAL11N.DLL
2006-08-10 20:12 33,280 C:\WINDOWS\system32\LFPCX11N.DLL
2006-08-10 20:12 31,744 C:\WINDOWS\system32\LFLMB11N.DLL
2006-08-10 20:12 31,232 C:\WINDOWS\system32\LFEPS11N.DLL
2006-08-10 20:12 285,184 C:\WINDOWS\system32\LFCMP11n.DLL
2006-08-10 20:12 274,432 C:\WINDOWS\system32\vctest.dll
2006-08-10 20:12 27,648 C:\WINDOWS\system32\LFWPG11N.DLL
2006-08-10 20:12 27,648 C:\WINDOWS\system32\LFTGA11N.DLL
2006-08-10 20:12 27,136 C:\WINDOWS\system32\LFWFX11N.DLL
2006-08-10 20:12 27,136 C:\WINDOWS\system32\LFIMG11N.DLL
2006-08-10 20:12 262,656 C:\WINDOWS\system32\LTDIS11n.dll
2006-08-10 20:12 26,112 C:\WINDOWS\system32\LFRAS11N.DLL
2006-08-10 20:12 26,112 C:\WINDOWS\system32\LFPCD11N.DLL
2006-08-10 20:12 26,112 C:\WINDOWS\system32\LFMSP11N.DLL
2006-08-10 20:12 25,600 C:\WINDOWS\system32\LFMAC11N.DLL
2006-08-10 20:12 172,032 C:\WINDOWS\system32\Lfpng11n.dll
2006-08-10 20:12 152,064 C:\WINDOWS\system32\LFTIF11N.DLL
2006-08-10 20:12 127,488 C:\WINDOWS\system32\LTIMG11N.DLL
2006-08-10 20:12 118,784 C:\WINDOWS\system32\LTFIL11N.DLL
2006-08-08 20:12 9,728 C:\WINDOWS\system32\rwnh.dll
2006-08-08 20:12 10,752 C:\WINDOWS\system32\smtpapi.dll
2006-07-31 04:50 719,433 C:\WINDOWS\system32\ttutv.bak2
2006-07-28 16:50 717,539 C:\WINDOWS\system32\ttutv.bak1
2006-07-28 16:49 573,492 C:\WINDOWS\system32\vtutt.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-20 07:24 -------- d-------- C:\Program Files\CCleaner
2006-08-19 21:29 206848 ---hs---- C:\WINDOWS\system32\ttutv.ini2
2006-08-19 20:28 -------- d-------- C:\Program Files\PeerGuardian2
2006-08-19 20:19 719433 ---hs---- C:\WINDOWS\system32\ttutv.bak2
2006-08-19 20:17 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-19 07:31 -------- d-------- C:\Program Files\Hijackthis
2006-08-19 07:30 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-18 17:58 717539 ---hs---- C:\WINDOWS\system32\ttutv.bak1
2006-08-17 18:11 -------- d-------- C:\Program Files\Sony Ericsson
2006-08-17 18:11 -------- d-------- C:\Program Files\Common Files\Teleca Shared
2006-08-17 18:02 -------- d-------- C:\Program Files\Disc2Phone
2006-08-16 18:03 -------- d-------- C:\Documents and Settings\David Again\Application Data\Macromedia
2006-08-16 06:46 -------- d-------- C:\Program Files\SpyHunter
2006-08-16 06:43 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-15 06:53 -------- d-------- C:\Program Files\TrojanHunter 4.0
2006-08-14 19:59 -------- d-------- C:\Program Files\Norton SystemWorks
2006-08-14 06:54 -------- d-------- C:\Program Files\PCRescue
2006-08-13 12:15 -------- d--h----- C:\Program Files\Zero G Registry
2006-08-12 06:27 -------- d-------- C:\Program Files\Security Task Manager
2006-08-12 05:56 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2006-08-11 06:55 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 20:52 -------- d-------- C:\Documents and Settings\David Again\Application Data\ATI
2006-08-10 20:43 -------- d-------- C:\Program Files\CFi
2006-08-10 20:40 -------- d-------- C:\Program Files\Enterra
2006-08-10 20:32 -------- d-------- C:\Program Files\ATI Technologies
2006-08-10 20:12 -------- d-------- C:\Program Files\ATI Multimedia
2006-08-10 20:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-10 07:32 -------- d-------- C:\Program Files\AutoStreamer
2006-08-10 06:47 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-08-10 06:33 -------- d-------- C:\Program Files\WinAVI Video Converter
2006-08-10 06:33 -------- d-------- C:\Program Files\Tweak-XP Pro 3
2006-08-10 06:33 -------- d-------- C:\Program Files\EPSON Print CD
2006-08-10 06:33 -------- d-------- C:\Program Files\dvdSanta
2006-08-10 06:33 -------- d-------- C:\Documents and Settings\David Again\Application Data\VersionTracker Pro
2006-08-10 06:31 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-10 06:24 -------- d-------- C:\Program Files\XoftSpy
2006-08-10 03:13 -------- d-------- C:\Program Files\Messenger
2006-08-08 20:12 -------- d-------- C:\Program Files\Windows Media Player
2006-08-08 20:02 -------- d-------- C:\Program Files\Windows NT
2006-08-08 20:02 -------- d-------- C:\Program Files\Outlook Express
2006-08-08 20:02 -------- d-------- C:\Program Files\NetMeeting
2006-08-08 20:02 -------- d-------- C:\Program Files\Movie Maker
2006-08-08 20:02 -------- d-------- C:\Program Files\Common Files\System
2006-08-08 17:06 -------- d-------- C:\Program Files\ExplorerXP
2006-08-08 07:32 -------- d-------- C:\Documents and Settings\David Again\Application Data\Registry Booster
2006-08-08 07:11 -------- d-------- C:\Program Files\Uniblue
2006-08-07 17:58 -------- d-------- C:\Program Files\PcBugDoctor
2006-08-05 10:26 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-05 08:11 -------- d-------- C:\Program Files\Ontrack
2006-08-04 19:31 -------- d-------- C:\Documents and Settings\David Again\Application Data\PC Tools
2006-08-03 16:56 -------- d-------- C:\Program Files\Common Files
2006-08-03 07:08 -------- d-------- C:\Program Files\Webroot
2006-08-02 16:48 -------- d-------- C:\Program Files\TuneUp Utilities 2006
2006-07-29 08:03 -------- d-------- C:\Program Files\Activision
2006-07-28 16:49 573492 ---h----- C:\WINDOWS\system32\vtutt.dll
2006-07-28 16:39 -------- d-------- C:\Program Files\Microsoft Games
2006-07-28 10:16 -------- d-------- C:\Program Files\Alcohol Soft
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 06:57 -------- d-------- C:\Documents and Settings\David Again\Application Data\Adobe
2006-07-19 06:55 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-19 06:55 -------- d-------- C:\Program Files\Adobe
2006-07-19 06:51 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-17 20:00 -------- d-------- C:\Program Files\Smart Projects
2006-07-09 06:17 -------- d-------- C:\Program Files\Norton AntiVirus
2006-07-06 09:34 -------- d-------- C:\Program Files\Symantec
2006-07-06 09:23 -------- d-------- C:\Documents and Settings\David Again\Application Data\Symantec
2006-07-06 08:05 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-06-28 18:01 -------- d-------- C:\Program Files\Google
2006-06-28 18:01 -------- d-------- C:\Documents and Settings\David Again\Application Data\Google
2006-06-23 07:05 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-06-12 06:36 22782 --a------ C:\WINDOWS\system32\UninstXviDDec.exe
2006-06-08 12:08 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-06-08 12:08 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-06-01 23:10 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-06-01 23:09 90112 --a------ C:\WINDOWS\system32\dpl100.dll
2006-06-01 23:09 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-06-01 23:09 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-06-01 23:09 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-06-01 23:09 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-06-01 23:09 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-06-01 23:09 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-06-01 23:09 200704 --a------ C:\WINDOWS\system32\dtu100.dll
2006-06-01 23:07 536576 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-06-01 23:07 245408 --a------ C:\WINDOWS\system32\unicows.dll
2006-06-01 23:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-06-01 23:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-06-01 23:06 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-01 23:06 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-01 23:06 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-01 23:06 619156 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-01 23:06 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-01 23:06 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-05-20 08:23 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0H2.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\""
@=""
"smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Nero MediaHome"="\"C:\\Program Files\\Nero\\Nero 7\\Nero MediaHome\\NeroMediaHome.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"Iomega Automatic Backup Pro"="\"C:\\Program Files\\Iomega\\Automatic Backup Pro\\LiveSystem.exe\" -s"
"ShellToys XP Utility Manager"="\"C:\\Program Files\\CFi\\ShellToys\\CFiShlMan.exe\" -start"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
@=""
"NoCDBurning"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,7c,01,00,00,00,00,00,00,04,03,00,00,42,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,7c,01,00,00,00,00,00,00,04,03,00,00,42,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{067B597C-C099-4A08-A180-E5FEC5DCF2DF}"="CFi ShellToys ShellExec Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"Norton Ghost 9.0"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\Agent\\GhostTray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Enterra Icon Keeper"="\"C:\\Program Files\\Enterra\\Icon Keeper\\IcnKeepr.exe\" ssp /s"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.0\\THGuard.exe\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - David Again.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job

Completion time: Sun 08/20/2006 7:33:17.90
ComboFix.txt


Crusty (AKA HJT)
Logfile of HijackThis v1.99.1
Scan saved at 07:42:25, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\HistorySweep\HSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Hijackthis\Crusty.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {241AE555-3815-403A-B934-5D636A7A626F} - C:\WINDOWS\system32\vtutt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nero MediaHome] "C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://195.128.105.11/activex/AMC.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...on/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6ADC8EE-13E3-43C5-B5FF-B6A5BA3A947E}: NameServer = 192.168.1.1
O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HistorySweepService - Unknown owner - C:\Program Files\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TransBaseService - Unknown owner - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Looks like a [bleep] of a lot to look through. Look forward to hearing from you . Thanks David
  • 0

#10
Crustyoldbloke
Posted 20 August 2006 - 10:19 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again David

We can clean this account first of all and then the Lisa and Guest accounts later.

The logs look very encouraging following the fix. I can see that you have the ConHook infection present. It is the file responsible for downloading Vundo to your PC. The fix for Vundo has today been updated so let’s give it a go and see if ConHook goes, but I will delete the files in Killbox anyway to be sure.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download: Killbox by Option^Explicit

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

HistorySweepService

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

HistorySweepService

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {241AE555-3815-403A-B934-5D636A7A626F} - C:\WINDOWS\system32\vtutt.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll
O23 - Service: HistorySweepService - Unknown owner - C:\Program Files\HistorySweep\HSSvc.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\HistorySweep\HSSvc.exe
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\unvise32.exe
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\vtutt.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post back a fresh HijackThis log (from normal mode) and I will take another look. (2 logs please).
  • 0

Advertisements

#11
davidcrossley
Posted 20 August 2006 - 11:04 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Crustyoldbloke

So it's the weekend almost over again. Thanks for your last post, i was online at the time so have been able to do as you advised already.

firstly the Vundo found no errors here's the log

VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 19:14:02 04/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 05:49:05 12/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.6

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 06:25:36 17/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 06:45:04 17/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.0

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 07:06:39 8/19/2006

Listing files found while scanning....


VundoFix V6.1.0

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 07:15:05 8/19/2006

Listing files found while scanning....

C:\WINDOWS\system32\bvejcjew.exe
C:\WINDOWS\system32\irnxirgc.exe
C:\WINDOWS\system32\nxkghtlp.exe
C:\WINDOWS\system32\pigrmlid.exe
C:\WINDOWS\system32\tomapvbx.exe
C:\WINDOWS\system32\uqqeknqu.exe
C:\WINDOWS\system32\xfauxvts.exe
C:\WINDOWS\system32\bvejcjew.exe
C:\WINDOWS\system32\irnxirgc.exe
C:\WINDOWS\system32\nxkghtlp.exe
C:\WINDOWS\system32\pigrmlid.exe
C:\WINDOWS\system32\tomapvbx.exe
C:\WINDOWS\system32\uqqeknqu.exe
C:\WINDOWS\system32\xfauxvts.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bvejcjew.exe
C:\WINDOWS\system32\bvejcjew.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\irnxirgc.exe
C:\WINDOWS\system32\irnxirgc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nxkghtlp.exe
C:\WINDOWS\system32\nxkghtlp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pigrmlid.exe
C:\WINDOWS\system32\pigrmlid.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tomapvbx.exe
C:\WINDOWS\system32\tomapvbx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uqqeknqu.exe
C:\WINDOWS\system32\uqqeknqu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xfauxvts.exe
C:\WINDOWS\system32\xfauxvts.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.0

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 17:25:04 8/20/2006

Listing files found while scanning....

No infected files were found.

HJK this on reboot produced the following log:
Logfile of HijackThis v1.99.1
Scan saved at 17:59:56, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nero MediaHome] "C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://195.128.105.11/activex/AMC.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...on/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6ADC8EE-13E3-43C5-B5FF-B6A5BA3A947E}: NameServer = 192.168.1.1
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TransBaseService - Unknown owner - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Thanks again for your help so far. I feel we (well you really, i'm just typing what you tell me to) are making progress.

Cheers

David
  • 0

#12
Crustyoldbloke
Posted 20 August 2006 - 11:10 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello David

The Vundofix log you posted is dated 17th Aug, the one I have seen before.

Please download a fresh VundoFix and run it as prescribed. Please post the log afterwards.
  • 0

#13
davidcrossley
Posted 21 August 2006 - 12:06 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry about that.

i did download and run Vundo but must have posted the older log. Here it is again.

i did also forget to say that i got the "PendingFileRenameOperation" message when using kill box.


VundoFix V6.1.1

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 07:00:09 8/21/2006

Listing files found while scanning....

No infected files were found.


Thanks David
  • 0

#14
Crustyoldbloke
Posted 21 August 2006 - 01:50 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again David

I cannot recommend Spyware Detector to you as I do not know which version of the programme you are running. Please see here: http://www.spywarewa...nti-spyware.htm

Now that the HijackThis log for the main account is clean, you have a choice to make.

You can either post into this thread a fresh HJT log for each of the other accounts, from normal mode and I will analyse them and give you instruction necessary for any fix. Or you can go to User Accounts in the Control Panel and delete all the accounts other than you one I have been working on.

Windows by default will create a folder for each account and place it on the desktop with all the files and documents relative to that account in it, so nothing is lost.

If you then wish to have multiple accounts again, just reboot normally and create the account again from User Accounts (takes 5 minutes).
  • 0

#15
davidcrossley
Posted 21 August 2006 - 02:35 AM

davidcrossley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Great new to hear my account is now clean of Winfixer/Winantivirus. I thank you so much for you time and help.

I will delete/deactivate the guest account, and if you don't mind will post a HJT log for my partners account tonight hopefully.


David
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP