Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help removing Oinadserver

Started by bif , Oct 15 2006 11:10 AM

  • Please log in to reply

#1
bif
Posted 15 October 2006 - 11:10 AM

bif

    New Member

  • Member
  • Pip
  • 2 posts
HI!
I have run ATF,ad aware ,norton internet security2007,avg and have tried to run a system restore all have failed. I'm posting a highjackthis log file any help would be greatly appreciated,Thanks...Bif.

Attached Files


  • 0

Advertisements

#2
Noviciate
Posted 15 October 2006 - 01:43 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
In future copy and paste all information rather than adding as an attachment - it make it easier to work with.
For my benefit:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:05 AM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\M?crosoft\w?wexec.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R3 - URLSearchHook: (no name) - {D2A29DF9-7418-5CEF-1401-5CF07CC86CC3} - C:\WINDOWS\system32\itd.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {D2A29DF9-7418-5CEF-1401-5CF07CC86CC3} - C:\WINDOWS\system32\itd.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Hdcqmt] C:\Program Files\Common Files\M?crosoft\w?wexec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159205042734
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: icservice - ONTRACK Data International, Inc. - C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Edited by Noviciate, 15 October 2006 - 01:43 PM.

  • 0

#3
Noviciate
Posted 15 October 2006 - 01:44 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
You are running HJT from an unsafe location. An easy way to correct this is to do the following:

Download a copy of HJTsetup.exe from here and save it to your Desktop.
  • Double click HJTsetup.exe to begin installation.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the prompts from there.
  • At the final dialogue box uncheck the box to the left of "Launch Hijackthis" and then click Finish
Do this BEFORE you proceed!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Combofix by sUBs from here and save it to your Desktop.
  • Double click combo.exe to run it and follow the prompts.
  • When the tool has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
Please Note:
  • Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
  • Disable Script Blocking if you have NAV installed as it will interfere with the normal working of this tool.
  • Trojan Hunter has been reported to detect this tool as Worm.Qiv.100 - please ignore this, it's a false-positive.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run HJT:
  • Click Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

  • 0

#4
bif
Posted 15 October 2006 - 02:18 PM

bif

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I followed your instructions here are the logs ...

Combo fix...


Owner - 06-10-15 14:55:26.90 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wtssu.exe
C:\Program Files\Inetget2
C:\Program Files\Common Files\{3483BFA3-0702-1033-0918-010402090001}
C:\Program Files\PrintView

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1\w?wexec.exe
C:\QooBox\Purity\Program Files\SSTEM~1\s?stem
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET


((((((((((((((((((((((((((((((( Files Created from 2006-09-15 to 2006-10-15 ))))))))))))))))))))))))))))))))))


2006-10-14 17:36 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-10-14 17:36 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-10-07 22:03 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-10-07 15:12 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2006-09-27 19:51 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-09-26 16:47 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-23 10:36 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-09-23 10:36 221,184 --a------ C:\WINDOWS\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-15 14:56 -------- d-------- C:\Program Files\Common Files
2006-10-15 14:53 -------- d-------- C:\Program Files\Hijackthis
2006-10-15 13:47 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-15 11:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-10-14 22:47 -------- d-------- C:\Program Files\Symantec
2006-10-14 22:47 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-14 20:16 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 20:16 -------- d-------- C:\Program Files\Ubi Soft
2006-10-14 17:54 -------- d-------- C:\Program Files\Grisoft
2006-10-14 17:04 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-11 19:37 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-11 18:33 -------- d-------- C:\Program Files\MSN Messenger
2006-10-07 22:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\ATI
2006-10-07 22:07 -------- d-------- C:\Program Files\Common Files\ATI Technologies
2006-10-07 22:04 -------- d-------- C:\Program Files\ATI Technologies
2006-10-07 21:50 -------- d-------- C:\Program Files\Internet Explorer
2006-10-07 18:02 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-09-27 20:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-09-27 19:55 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-09-27 19:47 -------- d-------- C:\Program Files\Thomson
2006-09-27 19:46 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-27 17:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-25 20:40 1063 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-09-25 10:35 -------- d-------- C:\Program Files\Microsoft Office
2006-09-25 10:35 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-25 10:35 -------- d-------- C:\Program Files\Common Files\System
2006-09-25 10:35 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-23 10:36 -------- d-------- C:\Program Files\Windows Media Player
2006-09-23 10:36 -------- d-------- C:\Program Files\MsnMusic
2006-09-23 10:01 -------- d-------- C:\Program Files\Java
2006-09-23 09:59 -------- d-------- C:\Program Files\Common Files\Java
2006-09-22 11:20 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-09-22 11:15 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-22 11:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-09-22 11:13 -------- d-------- C:\Program Files\QuickTime
2006-09-22 11:12 -------- d-------- C:\Program Files\Apple Software Update
2006-09-22 10:51 -------- d-------- C:\Program Files\Lexmark X74-X75
2006-09-21 18:44 -------- d-------- C:\Program Files\Google
2006-09-21 18:44 -------- d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2006-09-19 21:45 -------- d-------- C:\Program Files\Adobe
2006-09-19 20:59 -------- d-------- C:\Documents and Settings\Owner\Application Data\Google
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-11 16:30 275112 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2006-09-11 16:30 243368 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2006-09-11 16:30 24232 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2006-09-07 19:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-09-07 19:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\Corel
2006-09-07 19:29 -------- d-------- C:\Program Files\Common Files\Corel
2006-09-07 19:28 -------- d-------- C:\Program Files\Corel
2006-09-07 18:45 -------- d-------- C:\Program Files\WinZip Self-Extractor
2006-09-07 18:18 -------- d-------- C:\Program Files\FLStudio
2006-09-07 18:01 -------- d-------- C:\Program Files\VstPlugins
2006-09-07 18:01 -------- d-------- C:\Program Files\Image-Line
2006-09-06 19:47 -------- d-------- C:\Program Files\Lavasoft
2006-09-06 19:47 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-09-06 19:17 -------- d-------- C:\Program Files\coolpro2
2006-09-06 19:16 -------- d-------- C:\Documents and Settings\Owner\Application Data\Syntrillium
2006-09-06 19:07 -------- d-------- C:\Program Files\Tablet
2006-09-06 18:59 -------- d-------- C:\Program Files\Intel
2006-09-06 18:57 -------- d-------- C:\Program Files\Common Files\Intel Shared
2006-09-06 18:56 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
2006-09-06 18:56 2272 --a------ C:\WINDOWS\system32\w95inf16.dll
2006-09-06 18:56 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-09-06 18:53 -------- d-------- C:\Program Files\Canon
2006-09-06 18:43 -------- d-------- C:\Program Files\Ontrack
2006-09-06 18:43 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-06 18:41 -------- d-------- C:\Program Files\Ahead
2006-09-06 18:38 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-06 17:51 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-06 17:51 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-06 17:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-06 17:27 -------- d-------- C:\Program Files\Messenger
2006-09-06 15:40 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-06 15:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-09-06 15:35 0 -rahs---- C:\MSDOS.SYS
2006-09-06 15:35 0 -rahs---- C:\IO.SYS
2006-09-06 15:35 0 --a------ C:\CONFIG.SYS
2006-09-06 15:35 0 --a------ C:\AUTOEXEC.BAT
2006-09-06 15:35 -------- d-------- C:\Program Files\xerox
2006-09-06 15:35 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-06 15:33 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-06 15:33 -------- d-------- C:\Program Files\Online Services
2006-09-06 15:33 -------- d-------- C:\Program Files\NetMeeting
2006-09-06 15:33 -------- d-------- C:\Program Files\Common Files\Services
2006-09-06 15:32 -------- d-------- C:\Program Files\Movie Maker
2006-09-06 15:32 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-06 15:32 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-09-06 15:31 -------- d-------- C:\Program Files\Windows NT
2006-09-06 15:31 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-06 15:30 -------- d-------- C:\Program Files\MSN
2006-09-06 08:24 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-06 08:24 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-06 08:23 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2006-09-02 14:35 613056 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-09-02 14:35 36032 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2006-09-02 14:35 239808 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-09-02 14:35 186048 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-09-02 14:34 39104 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-09-02 14:34 33216 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-09-02 14:34 26432 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-09-02 14:34 144832 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-09-02 14:34 11968 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 04:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Hdcqmt"="C:\\Program Files\\Common Files\\M?crosoft\\w?wexec.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Lexmark X74-X75"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Owner.job

Completion time: 06-10-15 14:58:22.26
C:\ComboFix.txt ... 06-10-15 14:58






HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 3:06:05 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R3 - URLSearchHook: (no name) - {D2A29DF9-7418-5CEF-1401-5CF07CC86CC3} - C:\WINDOWS\system32\itd.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {D2A29DF9-7418-5CEF-1401-5CF07CC86CC3} - C:\WINDOWS\system32\itd.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Hdcqmt] C:\Program Files\Common Files\M?crosoft\w?wexec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159205042734
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: icservice - ONTRACK Data International, Inc. - C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe





uninstall log...


Owner - 06-10-15 14:55:26.90 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wtssu.exe
C:\Program Files\Inetget2
C:\Program Files\Common Files\{3483BFA3-0702-1033-0918-010402090001}
C:\Program Files\PrintView

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1\w?wexec.exe
C:\QooBox\Purity\Program Files\SSTEM~1\s?stem
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET


((((((((((((((((((((((((((((((( Files Created from 2006-09-15 to 2006-10-15 ))))))))))))))))))))))))))))))))))


2006-10-14 17:36 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-10-14 17:36 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-10-07 22:03 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-10-07 15:12 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2006-09-27 19:51 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-09-26 16:47 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-23 10:36 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-09-23 10:36 221,184 --a------ C:\WINDOWS\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-15 14:56 -------- d-------- C:\Program Files\Common Files
2006-10-15 14:53 -------- d-------- C:\Program Files\Hijackthis
2006-10-15 13:47 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-15 11:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-10-14 22:47 -------- d-------- C:\Program Files\Symantec
2006-10-14 22:47 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-14 20:16 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 20:16 -------- d-------- C:\Program Files\Ubi Soft
2006-10-14 17:54 -------- d-------- C:\Program Files\Grisoft
2006-10-14 17:04 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-11 19:37 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-11 18:33 -------- d-------- C:\Program Files\MSN Messenger
2006-10-07 22:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\ATI
2006-10-07 22:07 -------- d-------- C:\Program Files\Common Files\ATI Technologies
2006-10-07 22:04 -------- d-------- C:\Program Files\ATI Technologies
2006-10-07 21:50 -------- d-------- C:\Program Files\Internet Explorer
2006-10-07 18:02 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-09-27 20:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-09-27 19:55 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-09-27 19:47 -------- d-------- C:\Program Files\Thomson
2006-09-27 19:46 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-27 17:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-25 20:40 1063 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-09-25 10:35 -------- d-------- C:\Program Files\Microsoft Office
2006-09-25 10:35 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-25 10:35 -------- d-------- C:\Program Files\Common Files\System
2006-09-25 10:35 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-23 10:36 -------- d-------- C:\Program Files\Windows Media Player
2006-09-23 10:36 -------- d-------- C:\Program Files\MsnMusic
2006-09-23 10:01 -------- d-------- C:\Program Files\Java
2006-09-23 09:59 -------- d-------- C:\Program Files\Common Files\Java
2006-09-22 11:20 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-09-22 11:15 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-22 11:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-09-22 11:13 -------- d-------- C:\Program Files\QuickTime
2006-09-22 11:12 -------- d-------- C:\Program Files\Apple Software Update
2006-09-22 10:51 -------- d-------- C:\Program Files\Lexmark X74-X75
2006-09-21 18:44 -------- d-------- C:\Program Files\Google
2006-09-21 18:44 -------- d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2006-09-19 21:45 -------- d-------- C:\Program Files\Adobe
2006-09-19 20:59 -------- d-------- C:\Documents and Settings\Owner\Application Data\Google
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-11 16:30 275112 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2006-09-11 16:30 243368 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2006-09-11 16:30 24232 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2006-09-07 19:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-09-07 19:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\Corel
2006-09-07 19:29 -------- d-------- C:\Program Files\Common Files\Corel
2006-09-07 19:28 -------- d-------- C:\Program Files\Corel
2006-09-07 18:45 -------- d-------- C:\Program Files\WinZip Self-Extractor
2006-09-07 18:18 -------- d-------- C:\Program Files\FLStudio
2006-09-07 18:01 -------- d-------- C:\Program Files\VstPlugins
2006-09-07 18:01 -------- d-------- C:\Program Files\Image-Line
2006-09-06 19:47 -------- d-------- C:\Program Files\Lavasoft
2006-09-06 19:47 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-09-06 19:17 -------- d-------- C:\Program Files\coolpro2
2006-09-06 19:16 -------- d-------- C:\Documents and Settings\Owner\Application Data\Syntrillium
2006-09-06 19:07 -------- d-------- C:\Program Files\Tablet
2006-09-06 18:59 -------- d-------- C:\Program Files\Intel
2006-09-06 18:57 -------- d-------- C:\Program Files\Common Files\Intel Shared
2006-09-06 18:56 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
2006-09-06 18:56 2272 --a------ C:\WINDOWS\system32\w95inf16.dll
2006-09-06 18:56 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-09-06 18:53 -------- d-------- C:\Program Files\Canon
2006-09-06 18:43 -------- d-------- C:\Program Files\Ontrack
2006-09-06 18:43 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-06 18:41 -------- d-------- C:\Program Files\Ahead
2006-09-06 18:38 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-06 17:51 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-06 17:51 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-06 17:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-06 17:27 -------- d-------- C:\Program Files\Messenger
2006-09-06 15:40 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-06 15:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-09-06 15:35 0 -rahs---- C:\MSDOS.SYS
2006-09-06 15:35 0 -rahs---- C:\IO.SYS
2006-09-06 15:35 0 --a------ C:\CONFIG.SYS
2006-09-06 15:35 0 --a------ C:\AUTOEXEC.BAT
2006-09-06 15:35 -------- d-------- C:\Program Files\xerox
2006-09-06 15:35 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-06 15:33 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-06 15:33 -------- d-------- C:\Program Files\Online Services
2006-09-06 15:33 -------- d-------- C:\Program Files\NetMeeting
2006-09-06 15:33 -------- d-------- C:\Program Files\Common Files\Services
2006-09-06 15:32 -------- d-------- C:\Program Files\Movie Maker
2006-09-06 15:32 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-06 15:32 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-09-06 15:31 -------- d-------- C:\Program Files\Windows NT
2006-09-06 15:31 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-06 15:30 -------- d-------- C:\Program Files\MSN
2006-09-06 08:24 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-06 08:24 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-06 08:23 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2006-09-02 14:35 613056 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-09-02 14:35 36032 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2006-09-02 14:35 239808 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-09-02 14:35 186048 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-09-02 14:34 39104 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-09-02 14:34 33216 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-09-02 14:34 26432 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-09-02 14:34 144832 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-09-02 14:34 11968 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 04:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Hdcqmt"="C:\\Program Files\\Common Files\\M?crosoft\\w?wexec.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Lexmark X74-X75"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Owner.job

Completion time: 06-10-15 14:58:22.26
C:\ComboFix.txt ... 06-10-15 14:58
  • 0

#5
Noviciate
Posted 15 October 2006 - 04:19 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
If you had previewed your post, you would have noticed that you had pasted the Combofix log in place of the uninstall list.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of AVG Anti-Spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating AVG Anti-Spyware: below.

* Please note that this program was formerly known as Ewido anti-spyware 4.0.
Taken from the Ewido website -

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Double click the ewido-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.
  • Updating AVG Anti-Spyware:

    By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either AVG A-S will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed AVG A-S, double click ewido-signatures-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close AVG A-S.

AVG A-S is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.

2) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

3) You will need to know how to boot into Safe Mode.
Instructions can be found here.

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

R3 - URLSearchHook: (no name) - {D2A29DF9-7418-5CEF-1401-5CF07CC86CC3} - C:\WINDOWS\system32\itd.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKCU\..\Run: [Hdcqmt] C:\Program Files\Common Files\M?crosoft\w?wexec.exe

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Ensure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that AVG A-S has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When AVG A-S has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close Ewido Anti-Spyware.

7) Boot into Normal Mode.

Post a new HJT log (run in Normal Mode), the AVG A-S log AND a description of how your PC is running.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP