Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan problems


  • This topic is locked This topic is locked

#1
chase204

chase204

    Member

  • Member
  • PipPip
  • 24 posts
Hey guys. Im having alot of probelms with my computer. Norton keeps popping up saying its delted, Trojan,Vundo, Infostealer, and Trojan.Adclicker but they wont go away. I keep getting winanitivirus popups. I tried going into safemode and running norton along with adware, trojan hunter, and spybot but the problems are still there. Here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 3:34:00 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello and welcome to Geeks To Go

Some malware has the ability to hide when interrogated by HijackThis; I believe this may be true in your case. Please right click on hijackthis.exe and rename it to crusty.exe

Now please rescan with the newly named file and post the log into this thread by using the ADD REPLY button on the bottom right of this post, and I'll have a fresh look.

From now on, you will have to use crusty.exe to produce a HJT log.

Please ensure that you post logs created in normal mode only.
  • 0

#3
chase204

chase204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Ok, thanks, here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:41 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\crusty.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winexn32 - C:\WINDOWS\SYSTEM32\winexn32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello chase204 and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post quickly; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

Renaming HJT was a good call; have a look at the new entries at 02 and 020 in the log.

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
AVG AntiSpyware
combofix.exe

Please install, and update AVG Anti Spyware
  • Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close AVGas. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

  • In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - Winlogon Notify: winexn32 - C:\WINDOWS\SYSTEM32\winexn32.dll

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into normal mode.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\svchost.exe
C:\WINDOWS\SYSTEM32\winexn32.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please)
  • 0

#5
chase204

chase204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Crusty, I followed all the steps. Your help was very much appreciated. Here are the 3 logs.
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 7:06:42 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\crusty.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winexn32 - winexn32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

ComboFix:

"Chase" - 07-02-09 19:03:02 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\Chase\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))


2007-02-09 17:25 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-09 17:25 <DIR> d-------- C:\Program Files\Grisoft
2007-02-09 17:20 <DIR> d-------- C:\Program Files\CCleaner
2007-02-09 17:19 <DIR> d-------- C:\!KillBox
2007-02-08 22:02 <DIR> d-------- C:\SDFix
2007-02-08 21:07 <DIR> d-------- C:\DOCUME~1\Forrest\Application Data\TrojanHunter
2007-02-08 21:04 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\TrojanHunter
2007-02-08 20:11 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-02-08 19:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-02-08 19:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-02-08 19:43 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\Lavasoft
2007-02-08 19:17 <DIR> d-------- C:\Program Files\HiJackThis
2007-02-08 17:44 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-02-08 12:08 985,548 ---hs---- C:\WINDOWS\system32\yybeg.bak2
2007-02-08 01:31 996,012 ---hs---- C:\WINDOWS\system32\yybeg.ini2
2007-02-06 21:33 <DIR> d-------- C:\DOCUME~1\Forrest\Application Data\AdobeUM
2007-02-06 15:36 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\WildTangent
2007-02-06 14:05 277,125 ---hs---- C:\WINDOWS\system32\vtutq.dll
2007-02-06 13:34 277,066 ---hs---- C:\WINDOWS\system32\pmkhi.dll
2007-02-06 13:15 277,147 ---hs---- C:\WINDOWS\system32\jkklj.dll
2007-02-06 13:05 277,135 ---hs---- C:\WINDOWS\system32\mllji.dll
2007-02-06 13:04 277,135 ---hs---- C:\WINDOWS\system32\mlljh.dll
2007-02-06 12:08 997,612 ---hs---- C:\WINDOWS\system32\yybeg.bak1
2007-02-06 12:07 277,045 --ahs---- C:\WINDOWS\system32\gebyy.dll.vir
2007-02-06 12:04 277,045 ---hs---- C:\WINDOWS\system32\ddabx.dll
2007-02-06 12:02 277,045 ---hs---- C:\WINDOWS\system32\jkhfe.dll
2007-02-06 11:45 277,276 ---hs---- C:\WINDOWS\system32\mljjk.dll
2007-02-06 11:33 277,179 ---hs---- C:\WINDOWS\system32\pmnno.dll
2007-02-03 16:17 <DIR> d-------- C:\Program Files\QuickTime
2007-02-03 16:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-27 14:51 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\AdobeUM
2007-01-27 14:50 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\Adobe
2007-01-26 22:14 <DIR> d-------- C:\DOCUME~1\Forrest\Application Data\Apple Computer
2007-01-25 17:54 <DIR> d-------- C:\DOCUME~1\Forrest\Application Data\Talkback
2007-01-25 16:08 <DIR> d-------- C:\Program Files\NimoCodec Pack
2007-01-22 22:13 <DIR> d-------- C:\DOCUME~1\Forrest\Application Data\Adobe
2007-01-22 21:27 <DIR> d-------- C:\DOCUME~1\JEANNE~1\Contacts
2007-01-21 19:11 <DIR> d-------- C:\Program Files\BitPim
2007-01-21 18:47 <DIR> d-------- C:\Program Files\MotoKit
2007-01-21 18:34 77,895 --a------ C:\WINDOWS\system32\unibus_tcutil.dll
2007-01-21 18:34 67,072 --a------ C:\WINDOWS\system32\drivers\Wibukey.sys
2007-01-21 18:34 57,552 --a------ C:\WINDOWS\system32\WKDOS.EXE
2007-01-21 18:34 52,736 --a------ C:\WINDOWS\system\WkWin.dll
2007-01-21 18:34 29,696 --a------ C:\WINDOWS\system32\drivers\Wibukey2.sys
2007-01-21 18:34 139,264 --a------ C:\WINDOWS\system32\WkWin32.dll
2007-01-21 18:34 <DIR> d-------- C:\Program Files\WIBUKEY
2007-01-21 18:34 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS
2007-01-21 18:21 92,064 --a------ C:\DOCUME~1\Chase\mqdmmdm.sys
2007-01-21 18:21 9,232 --a------ C:\DOCUME~1\Chase\mqdmmdfl.sys
2007-01-21 18:21 79,328 --a------ C:\DOCUME~1\Chase\mqdmserd.sys
2007-01-21 18:21 66,656 --a------ C:\DOCUME~1\Chase\mqdmbus.sys
2007-01-21 18:21 6,208 --a------ C:\DOCUME~1\Chase\mqdmcmnt.sys
2007-01-21 18:21 5,936 --a------ C:\DOCUME~1\Chase\mqdmwhnt.sys
2007-01-21 18:21 4,048 --a------ C:\DOCUME~1\Chase\mqdmcr.sys
2007-01-21 18:17 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\InstallShield
2007-01-21 18:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avanquest Software
2007-01-21 18:15 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-01-21 18:07 <DIR> d-------- C:\Program Files\LiveUpdate
2007-01-21 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\BVRP Software
2007-01-21 17:12 5,632 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2007-01-21 17:12 40,960 --a------ C:\WINDOWS\system32\drivers\P2k.sys
2007-01-21 17:12 22,768 --a------ C:\WINDOWS\system32\drivers\usbser2k.sys
2007-01-21 17:10 <DIR> d-------- C:\Program Files\Motorola
2007-01-21 17:10 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-01-21 17:04 <DIR> d-------- C:\Program Files\BitLord
2007-01-21 16:48 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-01-21 16:14 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-21 16:14 <DIR> d-------- C:\Program Files\MTV Networks
2007-01-21 15:32 <DIR> d-------- C:\Program Files\Motorola USB Drivers
2007-01-20 14:47 25,600 --a------ C:\DOCUME~1\Chase\usbsermptxp.sys
2007-01-20 14:47 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-01-20 14:47 22,768 --a------ C:\DOCUME~1\Chase\usbsermpt.sys
2007-01-18 21:41 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\Viewpoint
2007-01-16 22:03 0 --a------ C:\DOCUME~1\Chase\Application Data\wklnhst.dat
2007-01-16 22:03 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\Template
2007-01-14 00:37 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-01-13 23:52 40,960 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-01-13 23:52 2,879,488 --a------ C:\WINDOWS\SkyTel.exe
2007-01-13 23:51 <DIR> d-------- C:\Program Files\Realtek
2007-01-13 18:17 499,712 --a------ C:\WINDOWS\RtlExUpd.dll
2007-01-13 14:31 <DIR> d-------- C:\Program Files\Ventrilo
2007-01-13 14:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-13 14:30 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-01-12 22:56 <DIR> d-------- C:\Program Files\iTunes
2007-01-12 22:56 <DIR> d-------- C:\Program Files\iPod
2007-01-12 22:56 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\Apple Computer
2007-01-12 22:55 <DIR> d-------- C:\Program Files\Apple Software Update
2007-01-12 22:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Apple Computer
2007-01-12 20:31 <DIR> d-------- C:\DOCUME~1\Chase\Shared
2007-01-12 20:30 <DIR> d-------- C:\Program Files\LimeWire
2007-01-12 20:30 <DIR> d-------- C:\DOCUME~1\Chase\Incomplete
2007-01-12 20:29 <DIR> d-------- C:\DOCUME~1\Chase\.limewire
2007-01-12 18:55 <DIR> d-------- C:\Program Files\PokerStars
2007-01-12 14:18 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\Sonic
2007-01-12 14:18 <DIR> d-------- C:\DOCUME~1\Chase\Application Data\Leadertech
2007-01-10 18:40 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-09 15:14 1,168 --a------ C:\WINDOWS\mozver.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-09 18:59 -------- d-------- C:\Program Files\mozilla firefox
2007-02-09 17:25 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-09 16:55 -------- d-------- C:\Program Files\steam
2007-02-08 16:56 -------- d-------- C:\Program Files\mirc
2007-02-05 18:36 -------- d-------- C:\Program Files\norton internet security
2007-02-03 16:17 -------- d--h----- C:\Program Files\installshield installation information
2007-01-27 14:03 -------- d-------- C:\Program Files\google
2007-01-25 16:08 -------- d-------- C:\Program Files\divx
2007-01-21 18:47 720896 --a------ C:\WINDOWS\iun6002.exe
2007-01-21 16:25 -------- d---s---- C:\DOCUME~1\Chase\Application Data\microsoft
2007-01-21 16:06 -------- d-------- C:\Program Files\windows media connect 2
2007-01-10 01:11 -------- d-------- C:\Program Files\java
2007-01-07 18:53 -------- d-------- C:\Program Files\robster productions
2007-01-07 14:30 -------- d-------- C:\DOCUME~1\Chase\Application Data\sun
2007-01-07 14:03 -------- d-------- C:\DOCUME~1\Chase\Application Data\acccore
2007-01-07 14:02 -------- d-------- C:\Program Files\viewpoint
2007-01-07 14:02 -------- d-------- C:\Program Files\Common Files\nullsoft
2007-01-07 14:02 -------- d-------- C:\Program Files\Common Files\aol
2007-01-07 14:02 -------- d-------- C:\Program Files\aim6
2007-01-07 14:01 335 --a------ C:\WINDOWS\nsreg.dat
2007-01-07 14:01 -------- d-------- C:\DOCUME~1\Chase\Application Data\mozilla
2007-01-07 13:15 116977 --a------ C:\WINDOWS\hpoins11.dat
2007-01-07 03:47 -------- d-------- C:\DOCUME~1\Chase\Application Data\real
2007-01-06 04:13 -------- d-------- C:\Program Files\msxml 4.0
2007-01-05 23:15 -------- d-------- C:\DOCUME~1\Chase\Application Data\talkback
2007-01-05 23:06 -------- d-------- C:\DOCUME~1\Chase\Application Data\ventrilo
2007-01-05 21:57 -------- d-------- C:\Program Files\microsoft directx sdk (december 2006)
2007-01-05 21:57 -------- d-------- C:\Program Files\Common Files\aliaswavefront shared
2007-01-05 21:57 -------- d-------- C:\Program Files\Common Files\alias shared
2007-01-05 21:01 -------- d-------- C:\Program Files\msn messenger
2007-01-05 20:38 -------- d-------- C:\Program Files\codec pack - all in 1
2007-01-05 20:37 -------- d-------- C:\Program Files\symantec
2007-01-05 20:34 -------- d-------- C:\DOCUME~1\Chase\Application Data\google
2007-01-05 20:18 -------- d-------- C:\DOCUME~1\Chase\Application Data\macromedia
2007-01-05 20:10 -------- d-------- C:\DOCUME~1\Chase\Application Data\hpq
2007-01-05 20:02 -------- d-------- C:\Program Files\yahoo!
2006-12-08 12:02 339736 --a------ C:\WINDOWS\system32\d3dref9.dll
2006-12-08 12:02 251672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2006-12-08 12:01 3080472 --a------ C:\WINDOWS\system32\d3d9d.dll
2006-11-29 13:06 3724568 --a------ C:\WINDOWS\system32\d3dx9d_32.dll
2006-11-29 13:06 3426072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2006-11-15 11:38 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-11-13 11:49 73928 --a------ C:\WINDOWS\system32\dmcompod.dll
2006-11-13 11:49 52424 --a------ C:\WINDOWS\system32\dmloaded.dll
2006-11-13 11:49 41160 --a------ C:\WINDOWS\system32\dmbandd.dll
2006-11-13 11:49 359624 --a------ C:\WINDOWS\system32\dinput8d.dll
2006-11-13 11:49 30920 --a------ C:\WINDOWS\system32\dswaved.dll
2006-11-13 11:49 248008 --a------ C:\WINDOWS\system32\d3dref8.dll
2006-11-13 11:49 240328 --a------ C:\WINDOWS\system32\dmimed.dll
2006-11-13 11:49 1390792 --a------ C:\WINDOWS\system32\d3d8d.dll
2006-11-13 11:49 134344 --a------ C:\WINDOWS\system32\dmusicd.dll
2006-11-13 11:49 117448 --a------ C:\WINDOWS\system32\dmstyled.dll
2006-11-13 11:49 115912 --a------ C:\WINDOWS\system32\dmscripd.dll
2006-11-13 11:49 112840 --a------ C:\WINDOWS\system32\dmsynthd.dll
2006-11-13 11:49 106696 --a------ C:\WINDOWS\system32\d3dref.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ftutil2"="rundll32.exe ftutil2.dll,SetWriteCacheMode"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Updates From HP.lnk"
"backup"="C:\\WINDOWS\\pss\\Updates From HP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UPDATE~1\\9972322\\Program\\UPDATE~1.EXE -startup"
"item"="Updates From HP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Chase^Start Menu^Programs^Startup^PinMcLnk.lnk]
"path"="C:\\Documents and Settings\\Chase\\Start Menu\\Programs\\Startup\\PinMcLnk.lnk"
"backup"="C:\\WINDOWS\\pss\\PinMcLnk.lnkStartup"
"location"="Startup"
"command"="C:\\hp\\bin\\cloaker.exe C:\\hp\\bin\\PinMcLnkToStart.bat"
"item"="PinMcLnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DMAScheduler"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\HP DigitalMedia Archive\\DMAScheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPwuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPwuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Remind_XP"
"hkey"="HKLM"
"command"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="steam"
"hkey"="HKCU"
"command"="\"c:\\program files\\steam\\steam.exe\" -silent"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{563AF8EA-5807-4FBC-A58E-ED7D9838F9C7}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\WINDOWS\\svchost.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexn32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
C:\WINDOWS\tasks\Register Reminder 7 day.job
C:\WINDOWS\tasks\Warranty Reminder 11 month.job
C:\WINDOWS\tasks\Warranty Reminder 15 day.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-09 19:05:12

AVG Anti-Spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:48 07-02-09

+ Scan result:



C:\Program Files\HiJackThis\backups\backup-20070208-193103-416.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\system32\urqomjk.dll.vir -> Adware.Virtumonde : Cleaned.
C:\Program Files\BitLord\Downloads\Kaspersky Internet security Ver.6.0.1.411 inc. key.rar/Kaspersky Internet security Ver.6.0.1.411 inc. key\kaspersky keygen.exe -> Backdoor.Ciadoor.cq : Cleaned.
C:\WINDOWS\Temp\win445.tmp -> Downloader.Agent.bdr : Cleaned.
C:\WINDOWS\Temp\win59A.tmp -> Downloader.Agent.bdr : Cleaned.
C:\Documents and Settings\Forrest\Local Settings\Temporary Internet Files\Content.IE5\DR0OVJAD\antizom[1].exe -> Logger.Agent.or : Cleaned.
C:\Program Files\Common Files\svchost.exe -> Logger.Agent.or : Cleaned.
C:\WINDOWS\Temp\win598.tmp.exe -> Logger.Agent.or : Cleaned.
C:\WINDOWS\svchost.exe -> Logger.Agent.or : Cleaned.
:mozilla.226:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.240:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Chase\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.57:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.58:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.59:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.60:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.88:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.89:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.90:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.92:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.93:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Chase\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.113:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.355:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.127:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Chase\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Forrest\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.13:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Chase\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.180:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.181:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.182:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.440:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\Forrest\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.410:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.411:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.412:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.413:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.401:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.55:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Forrest\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.415:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.416:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.253:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.80:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.81:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.282:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.283:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Forrest\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.284:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Forrest\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.302:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.303:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.304:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.319:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.11:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.6:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.351:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.352:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.353:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.354:C:\Documents and Settings\Chase\Application Data\Mozilla\Firefox\Profiles\zi41ucw6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Chase\Local Settings\Temp\mst152.tmp -> Trojan.Agent.qt : Cleaned.
C:\WINDOWS\system32\winexn32.dll -> Trojan.Agent.qt : Cleaned.
C:\Program Files\WinRAR\Default.SFX -> Worm.Fujack.ac : Cleaned.


::Report end
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Please check my instructions for AVGas set up. The chosen recommended action should read QUARANTINE. Your HJT log shows it to be CLEAN.

Your Combofix shows a fair bit of Vundo, we will have to make this a priority to deal with.

Please delete these folders (you may have to be in safe mode to do so):

C:\Program Files\LimeWire\
C:\Program Files\Enigma Software Group\
C:\Program Files\viewpoint\

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If Vundofix does not find and delete the files, please try running it bit differently:
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste these entries below into the boxes:
    • C:\WINDOWS\system32\yybeg.bak2
      C:\WINDOWS\system32\yybeg.ini2
      C:\WINDOWS\system32\vtutq.dll
      C:\WINDOWS\system32\pmkhi.dll
      C:\WINDOWS\system32\jkklj.dll
      C:\WINDOWS\system32\mllji.dll
      C:\WINDOWS\system32\mlljh.dll
      C:\WINDOWS\system32\yybeg.bak1
      C:\WINDOWS\system32\gebyy.dll.vir
      C:\WINDOWS\system32\ddabx.dll
      C:\WINDOWS\system32\jkhfe.dll
      C:\WINDOWS\system32\mljjk.dll
      C:\WINDOWS\system32\pmnno.dll
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.

Edited by Crustyoldbloke, 09 February 2007 - 07:23 PM.

  • 0

#7
chase204

chase204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
thanks again. I checked my AVG Anti-Spyware and it does read QUARANTINE. Here is the VundoFix Log


VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:26:16 PM 2/9/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddabx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebyy.dll.vir
C:\WINDOWS\system32\gebyy.dll.vir Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mljjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\vtutq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.ini2
C:\WINDOWS\system32\yybeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Here is the HiJackThis Log

LLogfile of HijackThis v1.99.1
Scan saved at 8:43:54 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\HiJackThis\crusty.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Congratulations! your new log is clean. :whistling: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :blink:

It just remains for me to wish you happy safe surfing; I hope you found my advice helpful.

Edited by Crustyoldbloke, 10 February 2007 - 07:20 AM.

  • 0

#9
chase204

chase204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Wow. Thank-you very much for everything. I really appreciate this. Take care.
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
You are very welcome.

I will leave this thread open for a few days in case of misfortune.
  • 0

#11
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP