Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cannot remove idialer and other malware


  • This topic is locked This topic is locked

#1
huttley

huttley

    New Member

  • Member
  • Pip
  • 7 posts
Hi,

I have tried most of the suggestions on your website to remove some malware on my system- all to no avail. Yesterday, I purchased Microsoft's OneCare prog and this was still unable to help me.

Please find attached my Hijackthis log. Also, I am having big troubles with starting windows in Safe Mode- Everytime I use the f8 method, my system just freezes up.

I have tries Cleanup!, ewido and a few others to try to remove malware. OneCare tells me that there is a trojan there and says it removes it, but I continue to have the same problem.

Please, if you can help me, I would be grateful.

Logfile of HijackThis v1.99.1
Scan saved at 11:08:50 PM, on 4/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Battery miser\batterymiser.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\On Screen Display\Hotkey.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\{501BD340-063A-1033-0917-04040910003d}\Update.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IP Operator\IPOperator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\TEMP\winB.tmp.exe
C:\WINDOWS\TEMP\iddC.tmp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Mick\LOCALS~1\Temp\Rar$EX00.039\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{501BD340-063A-1033-0917-04040910003d}] "C:\Program Files\Common Files\{501BD340-063A-1033-0917-04040910003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfig.dll,startup
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [wlwmjsg.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Mick\Local Settings\Application Data\wlwmjsg.dll",zdxkxpb
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\gbljilap.dll",setvm
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [IPOperator] "C:\Program Files\IP Operator\IPOperator.exe" -aUtOsTaRtFrOmReG
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://C:\Program Files\Telstra\SpeedTouch\BigPondGUI\HTML\nskey.DLL
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168580886264
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{248FC7F4-DD81-4971-B2C3-5DE9D4466A48}: NameServer = 144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

You are dealing with several different infections here, so we'll have to do this step by step.

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

It is important you don't miss a step and perform everything in the right order!!

* Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot afterwards. Important!

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O4 - HKLM\..\Run: [{501BD340-063A-1033-0917-04040910003d}] "C:\Program Files\Common Files\{501BD340-063A-1033-0917-04040910003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfig.dll,startup
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [wlwmjsg.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Mick\Local Settings\Application Data\wlwmjsg.dll",zdxkxpb
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\gbljilap.dll",setvm
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post next logs in your following reply:
  • Log from combofix (combofix.txt)
  • Log from Vundofix (vundofix.txt)
  • Log from AVG Antispyware
  • New Hijackthislog
You may need several replies to post the logs in case they won't fit in one reply.
  • 0

#3
huttley

huttley

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thankyou for all of that info. I seem to have got rid of the major problems- Here are the logs as requested.

Your help is greatly appreciated.

Combofix:
"Mick" - 07-02-06 21:01:20 Service Pack 2
ComboFix 07.02.04 - Running from: "G:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard131.dat
C:\Program Files\Ipwindows\ipwins.dll
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\scripts.ini
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{501BD~1
C:\Program Files\Common Files\{501BD~2
C:\DOCUME~1\Mick\Application Data\SearchToolbarCorp
C:\Program Files\Ipwindows
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Mick
C:\qoobox\purity\DOCUME~1\Mick\Application Data
C:\qoobox\purity\DOCUME~1\Mick\Application Data\CROSOF~1
C:\qoobox\purity\DOCUME~1\Mick\Application Data\from.txt
C:\qoobox\purity\WINDOWS\WNSXS~1
C:\qoobox\purity\WINDOWS\system32\ECURIT~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-06 to 2007-02-06 ))))))))))))))))))))))))))))))))))


2007-02-06 17:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-06 17:39 <DIR> d-------- C:\Program Files\Grisoft
2007-02-06 16:46 <DIR> d-------- C:\VundoFix Backups
2007-02-05 20:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Adobe
2007-02-04 18:14 <DIR> d-------- C:\Program Files\ewido anti-malware
2007-02-04 17:57 <DIR> d-------- C:\Program Files\tightvnc
2007-02-04 10:58 81,024 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-02-04 10:58 105,856 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-02-04 10:57 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-02-04 10:57 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-02-04 10:33 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-02-02 21:09 2 --a------ C:\WINDOWS\system32\wnscpsv.exe
2007-02-02 21:08 72,704 --a------ C:\WINDOWS\system32\drvfig.dll
2007-02-02 21:08 19,968 --a------ C:\WINDOWS\system32\winbmf32.dll
2007-02-01 18:17 <DIR> d-------- C:\Program Files\iTunes
2007-02-01 18:17 <DIR> d-------- C:\Program Files\iPod
2007-02-01 17:29 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Skype
2007-01-31 19:15 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Apple Computer
2007-01-28 20:56 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2007-01-24 20:02 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Individual Software
2007-01-23 19:02 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2007-01-21 21:13 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Webroot
2007-01-21 15:35 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Help
2007-01-21 14:51 <DIR> d-------- C:\Program Files\RFA
2007-01-19 16:54 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Google
2007-01-17 18:26 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Sun
2007-01-17 17:43 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\AdobeUM
2007-01-14 14:48 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Adobe
2007-01-14 14:39 <DIR> d--hs---- C:\WINDOWS\CSC
2007-01-14 14:04 <DIR> d--hs---- C:\USMT.TMP
2007-01-14 13:57 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Symantec
2007-01-12 21:06 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-12 18:19 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-01-12 18:19 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-01-12 18:19 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-01-12 16:45 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-09 16:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-09 16:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-09 16:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-09 16:41 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-09 16:41 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-09 16:41 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-09 16:39 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-09 16:38 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-09 16:21 592 --a------ C:\WINDOWS\chgkey.vbs
2007-01-07 14:12 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-04 22:23 -------- d-------- C:\Program Files\norton systemworks
2007-02-04 22:23 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-04 11:06 -------- d---s---- C:\DOCUME~1\Mick\Application Data\microsoft
2007-02-04 10:59 262 --a------ C:\DOCUME~1\Mick\Application Data\winsscookie.txt
2007-01-21 21:13 -------- d-------- C:\Program Files\Common Files\webroot shared
2007-01-21 15:18 -------- d-------- C:\Program Files\microsoft activesync
2007-01-21 15:15 -------- d--h----- C:\Program Files\installshield installation information
2007-01-17 18:17 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-14 15:18 -------- d-------- C:\DOCUME~1\Mick\Application Data\macromedia
2007-01-14 14:27 2508 --a------ C:\DOCUME~1\Mick\Application Data\$_hpcst$.hpc
2007-01-14 13:56 -------- d-------- C:\DOCUME~1\Mick\Application Data\identities
2007-01-12 18:06 -------- d-------- C:\Program Files\microsoft works
2007-01-09 16:47 -------- d-------- C:\Program Files\windows media connect
2007-01-07 14:15 -------- d-------- C:\Program Files\quicktime
2006-12-29 18:58 94208 --a------ C:\WINDOWS\ccuninst.exe
2006-12-29 18:57 -------- d-------- C:\Program Files\telstra
2006-12-29 18:18 -------- d-------- C:\Program Files\polar
2006-12-28 16:50 -------- d-------- C:\Program Files\on screen display
2006-12-28 15:08 -------- d-------- C:\Program Files\java
2006-11-27 19:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-13 17:02 1866240 --a------ C:\WINDOWS\system32\mstscax.dll
2006-11-08 16:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 19:06 600576 --a------ C:\WINDOWS\system32\mstsc.exe
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"Window Washer"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"wlwmjsg.dll"="C:\\WINDOWS\\system32\\rundll32.exe \"C:\\Documents and Settings\\Mick\\Local Settings\\Application Data\\wlwmjsg.dll\",zdxkxpb"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SNPSTD2"="C:\\WINDOWS\\vsnpstd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Lto Manager"="\"C:\\Program Files\\Quick GPS Connection Data Download Manager\\DesktopLtoManager.exe\""
"KeybdUtility"="\"C:\\Program Files\\On Screen Display\\Hotkey.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"iRiver Updater"="\\Updater.exe"
"ecc"="C:\\Program Files\\Telstra\\BigPond Assist\\assist.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"batterymiser"="C:\\Program Files\\Battery miser\\batterymiser.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"IPOperator"="\"C:\\Program Files\\IP Operator\\IPOperator.exe\" -aUtOsTaRtFrOmReG"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Norton SystemWorks\\Norton GoBack.lnk"
"backup"="C:\\WINDOWS\\pss\\Norton GoBack.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NORTON~2\\NORTON~4\\GBTray.exe "
"item"="Norton GoBack"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostTray"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Mechanic Startup Guard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StartupGuard"
"hkey"="HKCU"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"="BatteryMiser Psap Shl Ext"
"{90382AD7-4298-47E0-BC0F-14ACCFF44D2C}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbmf32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVGASCLN


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\MP Scheduled Signature Update.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************
Vundofix:
VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.2

Scan started at 4:46:17 PM 6/02/2007

Listing files found while scanning....

C:\Documents and settings\Mick\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Mick\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\WINDOWS\system32\acccf.bak1
C:\WINDOWS\system32\acccf.bak2
C:\WINDOWS\system32\acccf.ini
C:\WINDOWS\system32\acccf.ini2
C:\WINDOWS\system32\acccf.tmp
C:\WINDOWS\system32\fccca.dll
C:\WINDOWS\system32\gbljilap.dll
C:\WINDOWS\system32\khfdbab.dll
C:\WINDOWS\system32\ldvrxmpw.dll
C:\WINDOWS\system32\palijlbg.ini
C:\WINDOWS\system32\rqrqppn.dll
C:\WINDOWS\system32\wdaltjdl.dll
C:\WINDOWS\system32\wpmxrvdl.ini

Beginning removal...

Attempting to delete C:\Documents and settings\Mick\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Mick\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\Mick\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Mick\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\WINDOWS\system32\acccf.bak1
C:\WINDOWS\system32\acccf.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\acccf.bak2
C:\WINDOWS\system32\acccf.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\acccf.ini
C:\WINDOWS\system32\acccf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\acccf.ini2
C:\WINDOWS\system32\acccf.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\acccf.tmp
C:\WINDOWS\system32\acccf.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccca.dll
C:\WINDOWS\system32\fccca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gbljilap.dll
C:\WINDOWS\system32\gbljilap.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfdbab.dll
C:\WINDOWS\system32\khfdbab.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ldvrxmpw.dll
C:\WINDOWS\system32\ldvrxmpw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\palijlbg.ini
C:\WINDOWS\system32\palijlbg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrqppn.dll
C:\WINDOWS\system32\rqrqppn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wdaltjdl.dll
C:\WINDOWS\system32\wdaltjdl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wpmxrvdl.ini
C:\WINDOWS\system32\wpmxrvdl.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\khfdbab.dll
C:\WINDOWS\system32\khfdbab.dll Has been deleted!

Performing Repairs to the registry.
Done!

AVG Antispyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:28:07 PM 6/02/2007

+ Scan result:



C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000076.dll -> Adware.Maxifiles : Cleaned.
C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000077.exe -> Adware.Maxifiles : Cleaned.
C:\RECYCLER\S-1-5-18\Dc1\Update.exe -> Adware.Softomate : Cleaned.
C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000080.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000081.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000082.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000083.exe -> Adware.Softomate : Cleaned.
C:\RECYCLER\S-1-5-21-823518204-1606980848-1060284298-500\Dc36.exe -> Dialer.IDialer.m : Cleaned.
C:\RECYCLER\S-1-5-21-823518204-1606980848-1060284298-500\Dc11.exe -> Dialer.Small : Cleaned.
C:\RECYCLER\S-1-5-21-823518204-1606980848-1060284298-500\Dc35.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\__delete_on_reboot__w_i_n_2_._t_m_p_._e_x_e_ -> Dialer.Small : Cleaned.
C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000079.exe -> Downloader.Agent.bca : Cleaned.
C:\System Volume Information\_restore{EFBF68CD-A66A-42C5-93DF-EA07F8E0F366}\RP2\A0000058.exe -> Downloader.Tiny.fk : Cleaned.
C:\WINDOWS\system32\drvfig.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned.
C:\WINDOWS\system32\wnscpsv.exe -> Trojan.Small : Cleaned.


::Report end

New Hijackthis! log:
Logfile of HijackThis v1.99.1
Scan saved at 9:23:41 PM, on 6/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Quick GPS Connection Data Download Manager\DesktopLtoManager.exe
C:\Program Files\On Screen Display\Hotkey.exe
C:\Updater.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Battery miser\batterymiser.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IP Operator\IPOperator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\Mick\Desktop\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {188BFCE3-671D-46C7-8A5D-1E4F6843AEA7} - C:\WINDOWS\system32\fccca.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\wdaltjdl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {90382AD7-4298-47E0-BC0F-14ACCFF44D2C} - C:\WINDOWS\system32\khfdbab.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lto Manager] "C:\Program Files\Quick GPS Connection Data Download Manager\DesktopLtoManager.exe"
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IPOperator] "C:\Program Files\IP Operator\IPOperator.exe" -aUtOsTaRtFrOmReG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://C:\Program Files\Telstra\SpeedTouch\BigPondGUI\HTML\nskey.DLL
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168580886264
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{248FC7F4-DD81-4971-B2C3-5DE9D4466A48}: NameServer = 144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O20 - Winlogon Notify: winbmf32 - C:\WINDOWS\SYSTEM32\winbmf32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Almost done here...
Let's deal with the dialer now, because I see it's still active...
Is it possible that you ran Combofix before AVG Antispyware and before you fixed in Hijackthis? Because the logs don't make sense, this because AVG Antispyware shows it deleted some files while they are still present in the combofix log... same as for some registry entries which are showing in combofix and not showing in Hijackthis anymore.
That's why the order to perform steps is so important, to avoid confusion.

Anyway, we'll find out afterwards.

Do next in the right order..

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\SYSTEM32\winbmf32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {188BFCE3-671D-46C7-8A5D-1E4F6843AEA7} - C:\WINDOWS\system32\fccca.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\wdaltjdl.dll (file missing)
O2 - BHO: (no name) - {90382AD7-4298-47E0-BC0F-14ACCFF44D2C} - C:\WINDOWS\system32\khfdbab.dll (file missing)
O20 - Winlogon Notify: winbmf32 - C:\WINDOWS\SYSTEM32\winbmf32.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next files if still present:

C:\WINDOWS\system32\wnscpsv.exe
C:\WINDOWS\system32\drvfig.dll

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{90382AD7-4298-47E0-BC0F-14ACCFF44D2C}"=-

[-HKEY_CLASSES_ROOT\CLSID\{90382AD7-4298-47E0-BC0F-14ACCFF44D2C}]

Save this as remove.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.0.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file, select it and click ok:

C:\WINDOWS\chgkey.vbs

Then click the Send File button below.
Perform the same for next file:

C:\WINDOWS\ccuninst.exe

Then, After performing above, rescan with Hijackthis and post the log in your next reply together with a new log from combofix (so rescan with combofix as well)
  • 0

#5
huttley

huttley

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello-

Once again, thank you very much for your help and quick reply. It is possible that the order of things that you asked me to do was mixed up. I have done everything in the correct order this time.

Here are the logs that you have requested...

Logfile of HijackThis v1.99.1
Scan saved at 5:49:46 PM, on 7/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\On Screen Display\Hotkey.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\Battery miser\batterymiser.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IP Operator\IPOperator.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Mick\Desktop\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IPOperator] "C:\Program Files\IP Operator\IPOperator.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://C:\Program Files\Telstra\SpeedTouch\BigPondGUI\HTML\nskey.DLL
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168580886264
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{248FC7F4-DD81-4971-B2C3-5DE9D4466A48}: NameServer = 144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)


"Mick" - 07-02-07 17:53:19 Service Pack 2
ComboFix 07.02.04 - Running from: "G:\"

((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))


2007-02-07 17:34 <DIR> d-------- C:\Program Files\Common Files\Java
2007-02-06 21:40 720,896 --a------ C:\WINDOWS\iun6002.exe
2007-02-06 21:40 <DIR> d-------- C:\Program Files\TuneXP
2007-02-06 17:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-06 17:39 <DIR> d-------- C:\Program Files\Grisoft
2007-02-06 16:46 <DIR> d-------- C:\VundoFix Backups
2007-02-05 20:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Adobe
2007-02-04 18:14 <DIR> d-------- C:\Program Files\ewido anti-malware
2007-02-04 17:57 <DIR> d-------- C:\Program Files\tightvnc
2007-02-04 10:58 81,024 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-02-04 10:58 105,856 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-02-04 10:57 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-02-04 10:57 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-02-04 10:33 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-02-01 18:17 <DIR> d-------- C:\Program Files\iTunes
2007-02-01 18:17 <DIR> d-------- C:\Program Files\iPod
2007-02-01 17:29 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Skype
2007-01-31 19:15 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Apple Computer
2007-01-28 20:56 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2007-01-24 20:02 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Individual Software
2007-01-23 19:02 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2007-01-21 21:13 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Webroot
2007-01-21 15:35 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Help
2007-01-21 14:51 <DIR> d-------- C:\Program Files\RFA
2007-01-19 16:54 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Google
2007-01-17 18:26 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Sun
2007-01-17 17:43 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\AdobeUM
2007-01-14 14:48 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Adobe
2007-01-14 14:39 <DIR> d--hs---- C:\WINDOWS\CSC
2007-01-14 14:04 <DIR> d--hs---- C:\USMT.TMP
2007-01-14 13:57 <DIR> d-------- C:\DOCUME~1\Mick\Application Data\Symantec
2007-01-12 21:06 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-12 18:19 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-01-12 18:19 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-01-12 18:19 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-01-12 16:45 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-09 16:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-09 16:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-09 16:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-09 16:41 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-09 16:41 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-09 16:41 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-09 16:39 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-09 16:38 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-09 16:21 592 --a------ C:\WINDOWS\chgkey.vbs
2007-01-07 14:12 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-07 17:38 -------- d-------- C:\Program Files\java
2007-02-04 22:23 -------- d-------- C:\Program Files\norton systemworks
2007-02-04 22:23 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-04 11:06 -------- d---s---- C:\DOCUME~1\Mick\Application Data\microsoft
2007-02-04 10:59 262 --a------ C:\DOCUME~1\Mick\Application Data\winsscookie.txt
2007-01-21 21:13 -------- d-------- C:\Program Files\Common Files\webroot shared
2007-01-21 15:18 -------- d-------- C:\Program Files\microsoft activesync
2007-01-21 15:15 -------- d--h----- C:\Program Files\installshield installation information
2007-01-17 18:17 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-14 15:18 -------- d-------- C:\DOCUME~1\Mick\Application Data\macromedia
2007-01-14 14:27 2508 --a------ C:\DOCUME~1\Mick\Application Data\$_hpcst$.hpc
2007-01-14 13:56 -------- d-------- C:\DOCUME~1\Mick\Application Data\identities
2007-01-12 18:06 -------- d-------- C:\Program Files\microsoft works
2007-01-09 16:47 -------- d-------- C:\Program Files\windows media connect
2007-01-07 14:15 -------- d-------- C:\Program Files\quicktime
2006-12-29 18:58 94208 --a------ C:\WINDOWS\ccuninst.exe
2006-12-29 18:57 -------- d-------- C:\Program Files\telstra
2006-12-29 18:18 -------- d-------- C:\Program Files\polar
2006-12-28 16:50 -------- d-------- C:\Program Files\on screen display
2006-11-27 19:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-13 17:02 1866240 --a------ C:\WINDOWS\system32\mstscax.dll
2006-11-08 16:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 19:06 600576 --a------ C:\WINDOWS\system32\mstsc.exe
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"KeybdUtility"="\"C:\\Program Files\\On Screen Display\\Hotkey.exe\""
"ecc"="C:\\Program Files\\Telstra\\BigPond Assist\\assist.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"batterymiser"="C:\\Program Files\\Battery miser\\batterymiser.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"IPOperator"="\"C:\\Program Files\\IP Operator\\IPOperator.exe\" -aUtOsTaRtFrOmReG"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Norton SystemWorks\\Norton GoBack.lnk"
"backup"="C:\\WINDOWS\\pss\\Norton GoBack.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NORTON~2\\NORTON~4\\GBTray.exe "
"item"="Norton GoBack"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostTray"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Mechanic Startup Guard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StartupGuard"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlwmjsg.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wlwmjsg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe \"C:\\Documents and Settings\\Mick\\Local Settings\\Application Data\\wlwmjsg.dll\",zdxkxpb"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"="BatteryMiser Psap Shl Ext"
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\MP Scheduled Signature Update.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-07 17:56:04
C:\ComboFix2.txt ... 07-02-06 21:09
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Your logs look clean again.
The files you uploaded are ok. Ccuninst.exe is related with Bigpond Assistant (the uninstaller) and chgkey.vbs is created to change the Volume Licensing product key as described here: http://support.micro...b;en-us;Q328874

How are things now?
  • 0

#7
huttley

huttley

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi again-

Thanks for that. Everything seems okay at this stage, with the exception of a problem i get just as the logon screen starts up. I receive an error message relating to a file svchost.exe. I cannot recall the exact message. Any suggestions?

Thanks again
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I just see from your previous post that one entry still needs to go from the registry, so Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlwmjsg.dll]

Save this as fix2.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Concerning the svchost.exe error at startup. This could be related with your Windows Updates check. Looks like this is a common issue with Norton/symantec installed.
Did you get the error similar looking like:
"application error the instruction at "0x745f2780" reference memory at "0x00000000". the memory could not be 'read'" ??
Normally when you go to the Windows Update site, you should get that error as well, or your svchost.exe will cause your CPU go up to 100% then.

Can you verify if this is the case? If you get similar looking error?

Let me know in your next reply.
  • 0

#9
huttley

huttley

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,

Yes. That error is the one. I have uninstalled all of the Norton/Symantec applications and run registry first aid so I believe that all of the symantec/norton reg values should have been deleted.

I have tried manually updating windows updates and the error is still present.


Thanks
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

You didn't have to uninstall Norton for that.
I hope you installed another Antivirus now instead, because no Antivirus and Firewall leaves your system wideopen for infection.
Look in my signature under Antivirus where you can find free alternatives.
Avira is for example a great free Antivirus.

Let's fix your svchost.exe error now..

* Open your Windows Security Center (in control panel).
There, doubleclick Automatic Updates and set it to disable Automatic Updates and then reboot.

After reboot, go to Windows Update and download and install all updates.
Then reboot. Then reenable Windows update and look if the cpu goes up again caused by svchost.exe or if it gives an error again.
If so, there are two ways to fix this... Or leave Automatic updates disabled (you will still be able to download and install the updates from the Windows Update site),
or follow next instructions: (quoted from Microsoft forum here)

1. Click Start->Run, type "services.msc" (without quotation marks) in the
open box and click OK.
2. Double click the service "Automatic Updates".
3. Click on the Log On tab, please ensure the option "Local System account"
is selected and the option "Allow service to interact with desktop" is
unchecked.

4. Check if this service has been enabled on the listed Hardware Profile. If
not, please click the Enable button to enable it.
5. Click on the tab "General "; make sure the "Startup Type" is "Automatic".
Then please click the button "Start" under "Service Status" to start the
service.
6. Repeat the above steps with the other service: Background Intelligent
Transfer Service (BITS)

Step 4: Re-register Windows Update components and Clear the corrupted
Windows Update temp folder

1. Click on Start and then click Run,
2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and
press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message,
click OK.
4. Please repeat these steps for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

After the above steps are finished. Sicne temporary folder of Windows Update
may be corrupted. We can refer to the following steps to rename this folder
that

1. Click Start, Run, type: cmd and press Enter. Please run the following
command in the opened window.

net stop WuAuServ
(note, you might need to reboot before the net stop command will work)

2. Click Start, Run, type: %windir% and press Enter.
3. In the opened folder, rename the folder SoftwareDistribution to SDold.
4. Click Start, Run, type: cmd and press Enter. Please run the following
command in the opened window.

net start WuAuServ

Let me know if that solved it.
  • 0

#11
huttley

huttley

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,

I am still getting the following error message:"The instruction at "0x7c918fea" referenced memory at "0x0000010". The memory could not be written"

Apart from that, I have no other obvious problems...

In reference to your antivirus point... I have installed Windows One Care. I have not had much to do with it, but it was sold to me as an all in one program, including Antivirus. I was told that Norton Antivirus takes up a lot of system resources. Please find attached my latest hijackthis! log:

Logfile of HijackThis v1.99.1
Scan saved at 6:19:04 PM, on 8/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\On Screen Display\Hotkey.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\Battery miser\batterymiser.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\IP Operator\IPOperator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mick\Desktop\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IPOperator] "C:\Program Files\IP Operator\IPOperator.exe" -aUtOsTaRtFrOmReG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://C:\Program Files\Telstra\SpeedTouch\BigPondGUI\HTML\nskey.DLL
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168580886264
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{248FC7F4-DD81-4971-B2C3-5DE9D4466A48}: NameServer = 144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Your log looks clean. Do you still get that error about svchost.exe even after you disabled automatic updates? Did you reboot afterwards?
Did you also perform the other steps I described/quoted?
Please do this as well. Because I really think it's the Windows Update service causing this.

When still the same issue afterwards after reboot, then another service may cause this as well.

I see Windows Media player components starting up with Windows here. If I am not mistaken, the "Windows Driver Foundation - User-mode Driver Framework" service gets activated then and this one loads svchost.exe as well.
This service is responsible for device classes such as cameras and portable music players that are based on protocol or serial buses.

What you can try first is, go to start > run and type: msconfig
Select the tab "Startup", search for next startupentry in it: "WMPNSCFG"
Unselect the box and reboot your computer.

Look if the error stays away.

In case the error still appears,
So go to start > run and type: services.msc
Then a new Window will open with all services displayed there.
Search in the list for: "Windows Driver Foundation - User-mode Driver Framework"
Doubleclick it and set the Startuptype to "disabled".

Then click apply and reboot.

I've also seen the Netlogon service causing this error, but if your computer is a member of a domain, you may not disable this service.

edit... By the way, since when are you getting this error? Because you say it started recently. Is it possible that this error appeared since you installed Microsoft Windows OneCare Live? Because you never know.
As I said before, some Security Suites cause this as well. Known ones are McAfee and Norton. But it *could be possible that Microsoft Windows OneCare Live may cause this too. Haven't seen this issue yet, but I don't see many threads either where Microsoft Windows OneCare Live is installed.

Edited by miekiemoes, 08 February 2007 - 06:30 AM.

  • 0

#13
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP