Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need some help


  • Please log in to reply

#1
Dgtzd

Dgtzd

    New Member

  • Member
  • Pip
  • 9 posts
Hi and thanks in advance for any help.

I have something on my pc that has disabled my symantic and windows firewalls.
It has also taken my access to these programs so that I can't enable them.

Here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:55 AM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\ExpServer.exe
C:\WINDOWS\system32\portmap.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\1903cr.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00f62c5e-5beb-475e-aae3-3be74414d9de} - C:\WINDOWS\system32\dmimapi.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {E71A560B-D49B-FA9F-1632-0DB28C99FFC1} - (no file)
O2 - BHO: (no name) - {F98F11B0-62E6-E7E0-D051-01AAC884B26B} - (no file)
O2 - BHO: (no name) - {FF727DF6-44E1-A3BA-9C18-38EF60734836} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Service Monitor] b4d.exe
O4 - HKLM\..\Run: [Microsoft Intrenet Explorer] ming.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKLM\..\RunServices: [Service Monitor] b4d.exe
O4 - HKLM\..\RunServices: [Microsoft Intrenet Explorer] ming.exe
O4 - HKCU\..\Run: [] C:\Program Files\zilpe\zlip.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm128YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wkhkalrbdwfxy.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176066089218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143772618515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O20 - AppInit_DLLs: iniwin32.dll,
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: dmimapi - dmimapi.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ExpServer - SILVACO International - C:\WINDOWS\SYSTEM32\ExpServer.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ONC/RPC Portmapper (Portmap) - Unknown owner - C:\WINDOWS\system32\portmap.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SILVACO Floating License Manager (SilvacoSflm) (SilvacoSflm) - Unknown owner - C:\Silvaco\lib\rpc.sflmserverd\4.8.0.R\x86-nt\rpc.sflmserverd.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Thank you again for any help.
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello and welcome :whistling:

Some nasties to remove, so lets get sarted

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
Dgtzd

Dgtzd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Loophole,

Here's the combofix log:

"Mitch" - 07-04-12 10:35:02 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Mitch\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-12 to 2007-04-12 ))))))))))))))))))))))))))))))))))


2007-04-11 17:25 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-04-11 11:19 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-04-11 11:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-11 09:57 <DIR> d-------- C:\VundoFix Backups
2007-04-11 09:37 <DIR> d-------- C:\HijackThis
2007-04-10 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-10 18:56 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-10 18:51 2,642 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-04-10 18:50 870,618 --a------ C:\temp\SmitfraudFix.exe
2007-04-10 18:50 <DIR> d-------- C:\temp\SmitfraudFix
2007-04-10 18:48 <DIR> d-------- C:\WINDOWS\pss
2007-04-10 00:21 38,809 --a------ C:\WINDOWS\SYSTEM32\update00162523.exe
2007-04-10 00:04 2,353,758 --a------ C:\WINDOWS\SYSTEM32\SBSP.dat
2007-04-09 23:58 978 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-04-09 23:42 38,809 --a------ C:\WINDOWS\SYSTEM32\update39029103.exe
2007-04-09 23:37 38,809 --a------ C:\WINDOWS\SYSTEM32\update90004561.exe
2007-04-09 23:32 38,809 --a------ C:\WINDOWS\SYSTEM32\update10693785.exe
2007-04-09 23:27 38,809 --a------ C:\WINDOWS\SYSTEM32\update84374062.exe
2007-04-09 23:22 37,549 --a------ C:\WINDOWS\SYSTEM32\update13137401.exe
2007-04-09 23:16 38,809 --a------ C:\WINDOWS\SYSTEM32\update57302234.exe
2007-04-09 23:11 38,809 --a------ C:\WINDOWS\SYSTEM32\update41103699.exe
2007-04-09 23:06 38,809 --a------ C:\WINDOWS\SYSTEM32\update26410830.exe
2007-04-09 23:01 38,809 --a------ C:\WINDOWS\SYSTEM32\update05676190.exe
2007-04-09 22:56 38,809 --a------ C:\WINDOWS\SYSTEM32\update26057527.exe
2007-04-09 22:51 38,809 --a------ C:\WINDOWS\SYSTEM32\update07978851.exe
2007-04-09 22:46 38,809 --a------ C:\WINDOWS\SYSTEM32\update10775456.exe
2007-04-09 22:40 38,809 --a------ C:\WINDOWS\SYSTEM32\update28404678.exe
2007-04-09 22:35 38,809 --a------ C:\WINDOWS\SYSTEM32\update07462877.exe
2007-04-09 22:30 38,809 --a------ C:\WINDOWS\SYSTEM32\update08165670.exe
2007-04-09 22:25 38,809 --a------ C:\WINDOWS\SYSTEM32\update51365020.exe
2007-04-09 22:20 38,809 --a------ C:\WINDOWS\SYSTEM32\update88923726.exe
2007-04-09 22:15 38,809 --a------ C:\WINDOWS\SYSTEM32\update77371223.exe
2007-04-09 22:10 37,549 --a------ C:\WINDOWS\SYSTEM32\update76478257.exe
2007-04-09 22:05 38,809 --a------ C:\WINDOWS\SYSTEM32\update38415189.exe
2007-04-09 21:59 38,809 --a------ C:\WINDOWS\SYSTEM32\update42738385.exe
2007-04-09 21:54 38,809 --a------ C:\WINDOWS\SYSTEM32\update55815848.exe
2007-04-09 21:49 38,809 --a------ C:\WINDOWS\SYSTEM32\update98221393.exe
2007-04-09 21:44 38,809 --a------ C:\WINDOWS\SYSTEM32\update26679479.exe
2007-04-09 21:39 38,809 --a------ C:\WINDOWS\SYSTEM32\update86892619.exe
2007-04-09 21:34 38,809 --a------ C:\WINDOWS\SYSTEM32\update67676608.exe
2007-04-09 21:29 38,809 --a------ C:\WINDOWS\SYSTEM32\update06661798.exe
2007-04-09 21:24 38,809 --a------ C:\WINDOWS\SYSTEM32\update06396680.exe
2007-04-09 21:18 38,809 --a------ C:\WINDOWS\SYSTEM32\update08344358.exe
2007-04-09 21:13 38,809 --a------ C:\WINDOWS\SYSTEM32\update58368444.exe
2007-04-09 21:08 38,809 --a------ C:\WINDOWS\SYSTEM32\update24459962.exe
2007-04-09 21:03 37,549 --a------ C:\WINDOWS\SYSTEM32\update48145228.exe
2007-04-09 20:58 38,809 --a------ C:\WINDOWS\SYSTEM32\update37953295.exe
2007-04-09 20:53 38,809 --a------ C:\WINDOWS\SYSTEM32\update72939239.exe
2007-04-09 20:48 38,809 --a------ C:\WINDOWS\SYSTEM32\update55065325.exe
2007-04-09 20:43 38,809 --a------ C:\WINDOWS\SYSTEM32\update48508539.exe
2007-04-09 20:38 38,809 --a------ C:\WINDOWS\SYSTEM32\update86736822.exe
2007-04-09 20:32 38,809 --a------ C:\WINDOWS\SYSTEM32\update25862844.exe
2007-04-09 20:27 38,809 --a------ C:\WINDOWS\SYSTEM32\update75557856.exe
2007-04-09 20:22 38,809 --a------ C:\WINDOWS\SYSTEM32\update92784527.exe
2007-04-09 20:17 38,809 --a------ C:\WINDOWS\SYSTEM32\update59679304.exe
2007-04-09 20:12 29,969 --a------ C:\WINDOWS\SYSTEM32\update68414136.exe
2007-04-09 20:07 38,809 --a------ C:\WINDOWS\SYSTEM32\update41780572.exe
2007-04-09 20:02 35,009 --a------ C:\WINDOWS\SYSTEM32\update10018912.exe
2007-04-09 19:57 38,809 --a------ C:\WINDOWS\SYSTEM32\update87917227.exe
2007-04-09 19:47 235,008 --a------ C:\WINDOWS\SYSTEM32\update71197586.exe
2007-04-09 19:14 38,809 --a------ C:\WINDOWS\SYSTEM32\update79405895.exe
2007-04-09 03:16 38,809 --a------ C:\WINDOWS\SYSTEM32\update43153339.exe
2007-04-09 03:11 38,809 --a------ C:\WINDOWS\SYSTEM32\update55995816.exe
2007-04-09 03:06 38,809 --a------ C:\WINDOWS\SYSTEM32\update12361073.exe
2007-04-09 03:01 32,509 --a------ C:\WINDOWS\SYSTEM32\update68899359.exe
2007-04-09 02:56 32,509 --a------ C:\WINDOWS\SYSTEM32\update51567926.exe
2007-04-09 02:51 38,809 --a------ C:\WINDOWS\SYSTEM32\update10584071.exe
2007-04-09 02:45 38,809 --a------ C:\WINDOWS\SYSTEM32\update79018100.exe
2007-04-09 02:40 38,809 --a------ C:\WINDOWS\SYSTEM32\update28030189.exe
2007-04-09 02:35 38,809 --a------ C:\WINDOWS\SYSTEM32\update05202734.exe
2007-04-09 02:30 38,809 --a------ C:\WINDOWS\SYSTEM32\update68365484.exe
2007-04-09 02:25 38,809 --a------ C:\WINDOWS\SYSTEM32\update41653899.exe
2007-04-09 02:20 42,496 --a------ C:\WINDOWS\SYSTEM32\totour.exe
2007-04-09 02:20 38,809 --a------ C:\WINDOWS\SYSTEM32\update88450238.exe
2007-04-09 02:20 31,800 --a------ C:\WINDOWS\SYSTEM32\update82259777.exe
2007-04-09 02:15 38,809 --a------ C:\WINDOWS\SYSTEM32\update85827392.exe
2007-04-09 02:10 38,809 --a------ C:\WINDOWS\SYSTEM32\update21295619.exe
2007-04-09 02:05 38,809 --a------ C:\WINDOWS\SYSTEM32\update47444335.exe
2007-04-09 02:00 38,809 --a------ C:\WINDOWS\SYSTEM32\update18040512.exe
2007-04-09 01:55 38,809 --a------ C:\WINDOWS\SYSTEM32\update73927933.exe
2007-04-09 01:50 38,809 --a------ C:\WINDOWS\SYSTEM32\update22578500.exe
2007-04-09 01:45 38,809 --a------ C:\WINDOWS\SYSTEM32\update84642467.exe
2007-04-09 01:39 38,809 --a------ C:\WINDOWS\SYSTEM32\update13262065.exe
2007-04-09 01:34 38,809 --a------ C:\WINDOWS\SYSTEM32\update48338559.exe
2007-04-09 01:29 38,809 --a------ C:\WINDOWS\SYSTEM32\update31669190.exe
2007-04-09 01:24 38,809 --a------ C:\WINDOWS\SYSTEM32\update53195178.exe
2007-04-09 01:19 38,809 --a------ C:\WINDOWS\SYSTEM32\update17616772.exe
2007-04-09 01:14 38,809 --a------ C:\WINDOWS\SYSTEM32\update01939519.exe
2007-04-09 01:09 38,809 --a------ C:\WINDOWS\SYSTEM32\update64158465.exe
2007-04-09 01:04 38,809 --a------ C:\WINDOWS\SYSTEM32\update36122460.exe
2007-04-09 00:59 38,809 --a------ C:\WINDOWS\SYSTEM32\update93690573.exe
2007-04-09 00:54 38,809 --a------ C:\WINDOWS\SYSTEM32\update23224742.exe
2007-04-09 00:39 38,809 --a------ C:\WINDOWS\SYSTEM32\update71721880.exe
2007-04-09 00:33 38,809 --a------ C:\WINDOWS\SYSTEM32\update03038108.exe
2007-04-09 00:23 38,809 --a------ C:\WINDOWS\SYSTEM32\update86042452.exe
2007-04-09 00:08 38,809 --a------ C:\WINDOWS\SYSTEM32\update74082038.exe
2007-04-08 23:53 38,809 --a------ C:\WINDOWS\SYSTEM32\update49102838.exe
2007-04-08 18:47 32,509 --a------ C:\WINDOWS\SYSTEM32\update85235862.exe
2007-04-08 18:47 11,340 --a------ C:\WINDOWS\SYSTEM32\update74910283.exe
2007-04-08 18:40 <DIR> d-------- C:\WINDOWS\Sun
2007-04-08 18:40 <DIR> d-------- C:\DOCUME~1\Mitch\APPLIC~1\Sun
2007-04-08 18:40 <DIR> d-------- C:\DOCUME~1\Mitch\.housecall6.6
2007-04-08 18:18 38,809 --a------ C:\WINDOWS\SYSTEM32\update90192900.exe
2007-04-08 18:13 38,809 --a------ C:\WINDOWS\SYSTEM32\update16069765.exe
2007-04-08 18:12 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-04-08 18:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-08 18:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-08 17:58 38,809 --a------ C:\WINDOWS\SYSTEM32\update06642530.exe
2007-04-08 17:53 11,340 --a------ C:\WINDOWS\SYSTEM32\update84090792.exe
2007-04-08 17:48 38,809 --a------ C:\WINDOWS\SYSTEM32\update34493574.exe
2007-04-08 17:43 38,809 --a------ C:\WINDOWS\SYSTEM32\update29230555.exe
2007-04-08 17:33 38,809 --a------ C:\WINDOWS\SYSTEM32\update86944921.exe
2007-04-08 17:17 38,809 --a------ C:\WINDOWS\SYSTEM32\update71941842.exe
2007-04-08 17:17 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-08 17:04 38,809 --a------ C:\WINDOWS\SYSTEM32\update40613141.exe
2007-04-08 17:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-08 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-08 17:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-04-08 16:18 38,809 --a------ C:\WINDOWS\SYSTEM32\update62578799.exe
2007-04-08 16:13 38,809 --a------ C:\WINDOWS\SYSTEM32\update44580061.exe
2007-04-08 16:08 38,809 --a------ C:\WINDOWS\SYSTEM32\update19802938.exe
2007-04-08 16:03 38,809 --a------ C:\WINDOWS\SYSTEM32\update86144478.exe
2007-04-08 15:58 38,809 --a------ C:\WINDOWS\SYSTEM32\update12494116.exe
2007-04-08 15:53 38,809 --a------ C:\WINDOWS\SYSTEM32\update58066838.exe
2007-04-08 15:48 38,809 --a------ C:\WINDOWS\SYSTEM32\update97003829.exe
2007-04-08 15:42 38,809 --a------ C:\WINDOWS\SYSTEM32\update16445193.exe
2007-04-08 15:37 38,809 --a------ C:\WINDOWS\SYSTEM32\update14955337.exe
2007-04-08 15:32 36,289 --a------ C:\WINDOWS\SYSTEM32\update42436467.exe
2007-04-08 15:27 38,809 --a------ C:\WINDOWS\SYSTEM32\update16810854.exe
2007-04-08 15:22 38,809 --a------ C:\WINDOWS\SYSTEM32\update97789770.exe
2007-04-08 15:17 38,809 --a------ C:\WINDOWS\SYSTEM32\update92380205.exe
2007-04-08 15:12 38,809 --a------ C:\WINDOWS\SYSTEM32\update15050767.exe
2007-04-08 15:12 297,984 --a------ C:\WINDOWS\1903cr.exe
2007-03-30 16:09 <DIR> d-------- C:\WINDOWS\bak
2007-03-30 16:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak
2007-03-15 12:23 497,496 --a------ C:\WINDOWS\SYSTEM32\XceedZip.dll
2007-03-15 12:19 526,184 --a------ C:\WINDOWS\SYSTEM32\XceedCry.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-08 18:13 -------- d-------- C:\Program Files\messenger
2007-04-08 14:57 -------- d-------- C:\Program Files\itunes
2007-04-07 11:50 -------- d-------- C:\Program Files\quicktime
2007-03-17 09:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-17 18:15 81920 --a------ C:\WINDOWS\SYSTEM32\openal32.dll
2007-02-17 18:15 233472 --a------ C:\WINDOWS\SYSTEM32\wrap_oal.dll
2007-02-14 13:57 -------- d-------- C:\Program Files\macrovision
2007-02-13 19:18 -------- d-------- C:\Program Files\sony
2007-02-05 16:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@="C:\\Program Files\\zilpe\\zlip.exe"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"fwenc.exe"="\"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\fwenc.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"Service Monitor"="b4d.exe"
"Microsoft Intrenet Explorer"="ming.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy4\\DVDAudio\\CTDVDDET.EXE\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy4\\Surround Mixer\\CTSysVol.exe /r"
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"CTHelper"="CTHELPER.EXE"
"RegistryMonitor"="C:\\WINDOWS\\1903cr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Service Monitor"="b4d.exe"
"Microsoft Intrenet Explorer"="ming.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"dllssc"="C:\\WINDOWS\\system32\\dllssc.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dmimapi

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
BITSgroup REG_MULTI_SZ BITS\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Tune-up Application Start.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-12 10:38:06
C:\ComboFix-quarantined-files.txt ... 07-04-12 10:38
C:\ComboFix2.txt ... 07-04-12 10:22
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Lets get to work

Please go *here and in the "Browse to the file you want to submit:" box, copy and paste the following line in

C:\WINDOWS\1903cr.exe

Then click the send file button. ( you can fill out the rest of the info if you wish but its not important)

Download the attached zip file[attachment=13939:run_me.zip]. Please extract it to your desk top


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of wkhkalrbdwfxy.dll.
  • Select every instance of wkhkalrbdwfxy.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
Please print the rest of these directions out for use in safemode

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Open the Run me folder on your desktop and double click the Run me.bat file

Next
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#5
Dgtzd

Dgtzd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi loophole,

When in safe mode, sdfix tried to install a .dll called Hardlocked.dll but it couldn't find it.
a box came up that gave me the choice to continue or ignore. I tried continue several
times and it kept hanging up with the hardlocked.dll error message. I finially hit
ignore and it finished. Anyway, here's the error report.


SDFix: Version 1.78

Run by Mitch - Fri 04/13/2007 - 10:08:17.89

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe:*:Enabled:SecureClient Application"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\SYSTEM32\config\default.tmp.LOG
C:\WINDOWS\SYSTEM32\config\software.tmp.LOG
C:\WINDOWS\SYSTEM32\config\system.tmp.LOG

Finished






Here is my latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:42 AM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\ExpServer.exe
C:\WINDOWS\system32\portmap.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00f62c5e-5beb-475e-aae3-3be74414d9de} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {E71A560B-D49B-FA9F-1632-0DB28C99FFC1} - (no file)
O2 - BHO: (no name) - {F98F11B0-62E6-E7E0-D051-01AAC884B26B} - (no file)
O2 - BHO: (no name) - {FF727DF6-44E1-A3BA-9C18-38EF60734836} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm128YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176066089218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143772618515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: dmimapi - dmimapi.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ExpServer - SILVACO International - C:\WINDOWS\SYSTEM32\ExpServer.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ONC/RPC Portmapper (Portmap) - Unknown owner - C:\WINDOWS\system32\portmap.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: SILVACO Floating License Manager (SilvacoSflm) (SilvacoSflm) - Unknown owner - C:\Silvaco\lib\rpc.sflmserverd\4.8.0.R\x86-nt\rpc.sflmserverd.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

I tried continue several
times and it kept hanging up with the hardlocked.dll error message.

I havent heard of this error, I will look into it. The report was fine by the way

click >>start>>control panel >>add/remove programs and uninstall the following if present:
Viewpoint

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {00f62c5e-5beb-475e-aae3-3be74414d9de} - (no file)
O2 - BHO: (no name) - {E71A560B-D49B-FA9F-1632-0DB28C99FFC1} - (no file)
O2 - BHO: (no name) - {F98F11B0-62E6-E7E0-D051-01AAC884B26B} - (no file)
O2 - BHO: (no name) - {FF727DF6-44E1-A3BA-9C18-38EF60734836} - (no file)
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm128YYUS
O20 - Winlogon Notify: dmimapi - dmimapi.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Rescan with combofix and post the log, also let me know how things are running

Thanks
  • 0

#7
Dgtzd

Dgtzd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hey Loophole,

The only thing that seems to be happening now is that I get a popup that tells me that Symantec Anti Virus Autoprotect has been disabled. When I open Symantec to enable again, The enable box
is allready checked.
Also, when I try to bring up the Symantec Firewall, nothing happens. Besides that, everything seems to be running fine now.

Here's the combofix log:

"Mitch" - 07-04-14 22:20:54 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Mitch\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-14 to 2007-04-14 ))))))))))))))))))))))))))))))))))


2007-04-11 17:25 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-04-11 11:19 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-04-11 11:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-11 09:57 <DIR> d-------- C:\VundoFix Backups
2007-04-11 09:37 <DIR> d-------- C:\HijackThis
2007-04-10 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-10 18:56 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-10 18:51 2,642 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-04-10 18:50 870,618 --a------ C:\temp\SmitfraudFix.exe
2007-04-10 18:50 <DIR> d-------- C:\temp\SmitfraudFix
2007-04-10 18:48 <DIR> d-------- C:\WINDOWS\pss
2007-04-10 00:04 2,353,758 --a------ C:\WINDOWS\SYSTEM32\SBSP.dat
2007-04-09 23:58 978 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-04-08 18:40 <DIR> d-------- C:\WINDOWS\Sun
2007-04-08 18:40 <DIR> d-------- C:\DOCUME~1\Mitch\APPLIC~1\Sun
2007-04-08 18:40 <DIR> d-------- C:\DOCUME~1\Mitch\.housecall6.6
2007-04-08 18:12 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-04-08 18:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-08 18:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-08 17:17 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-08 17:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-08 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-08 17:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-03-30 16:09 <DIR> d-------- C:\WINDOWS\bak
2007-03-30 16:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak
2007-03-15 12:23 497,496 --a------ C:\WINDOWS\SYSTEM32\XceedZip.dll
2007-03-15 12:19 526,184 --a------ C:\WINDOWS\SYSTEM32\XceedCry.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-14 22:15 -------- d-------- C:\Program Files\viewpoint
2007-04-08 18:13 -------- d-------- C:\Program Files\messenger
2007-04-08 14:57 -------- d-------- C:\Program Files\itunes
2007-04-07 11:50 -------- d-------- C:\Program Files\quicktime
2007-03-17 09:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-17 18:15 81920 --a------ C:\WINDOWS\SYSTEM32\openal32.dll
2007-02-17 18:15 233472 --a------ C:\WINDOWS\SYSTEM32\wrap_oal.dll
2007-02-14 13:57 -------- d-------- C:\Program Files\macrovision
2007-02-05 16:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"SoundMan"="SOUNDMAN.EXE"
"CTHelper"="CTHELPER.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
BITSgroup REG_MULTI_SZ BITS\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Tune-up Application Start.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-14 22:23:34
C:\ComboFix-quarantined-files.txt ... 07-04-14 22:23
C:\ComboFix2.txt ... 07-04-12 10:38
C:\ComboFix3.txt ... 07-04-12 10:22


And I'm adding another HijackThis log just for good measure.




Logfile of HijackThis v1.99.1
Scan saved at 10:28:19 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\ExpServer.exe
C:\WINDOWS\system32\portmap.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176066089218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143772618515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ExpServer - SILVACO International - C:\WINDOWS\SYSTEM32\ExpServer.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ONC/RPC Portmapper (Portmap) - Unknown owner - C:\WINDOWS\system32\portmap.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: SILVACO Floating License Manager (SilvacoSflm) (SilvacoSflm) - Unknown owner - C:\Silvaco\lib\rpc.sflmserverd\4.8.0.R\x86-nt\rpc.sflmserverd.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)



Thank you for all of your help.
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

I will look into the symantec issue. I suspect another trojan at work here also. Please do this for me

* Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
  • Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#9
Dgtzd

Dgtzd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Loophole,

Here's the AWF log you requested.


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\ZILPE\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 06:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

08/12/2005 06:43 PM 45,056 cli.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/06/2005 12:05 AM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

02/29/2004 07:44 PM 66,680 ccApp.exe
1 File(s) 66,680 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

01/07/2006 05:36 AM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~2\BAK

03/12/2004 06:18 PM 124,128 VPTray.exe
1 File(s) 124,128 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

08/19/2005 10:34 PM 3,084,288 ypager.exe
1 File(s) 3,084,288 bytes

Directory of C:\PROGRA~1\CHECKP~1\SECURE~1\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 07:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 02:00 AM 45,056 CTDVDDET.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

02/15/2005 05:10 PM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

04/13/2005 04:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 8 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Jan 1 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
45056 Aug 12 2005 "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
344064 Aug 6 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
66680 Feb 29 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
66680 Feb 29 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
81920 Jan 7 2006 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
81920 Jan 7 2006 "D:\Sony\SonicStage\SSAAD.exe"
124128 Mar 12 2004 "C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe"
124128 Mar 12 2004 "C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe"
3084288 Aug 19 2005 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy4\DVDAudio\bak\CTDVDDET.EXE"
57344 Feb 15 2005 "C:\Program Files\Creative\SBAudigy4\Surround Mixer\bak\CTSysVol.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"


end of report
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :whistling:

Download this attached zipfile[attachment=14006:Runme.zip]
Extract it to your desktop. It will create a new folder called runme.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Open the runme folder and double click the runme.bat

Reboot,

Let me know if symantec behaves correctly as well as your other programs. Post a new Hijack log also

Thanks
  • 0

#11
Dgtzd

Dgtzd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I just ran the runme.bat file in safe mode.

I'm still getting a pop up that says, Symantec Auto-protect is disabled, but it says it's enabled when I check.

Also, Symantec firewall still doesn't work.

Here's the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:42:15 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\ExpServer.exe
C:\WINDOWS\system32\portmap.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176066089218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143772618515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ExpServer - SILVACO International - C:\WINDOWS\SYSTEM32\ExpServer.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ONC/RPC Portmapper (Portmap) - Unknown owner - C:\WINDOWS\system32\portmap.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: SILVACO Floating License Manager (SilvacoSflm) (SilvacoSflm) - Unknown owner - C:\Silvaco\lib\rpc.sflmserverd\4.8.0.R\x86-nt\rpc.sflmserverd.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

Thanks for your continued help.
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I think the Security Center service in the registry isn't properly configured - the path got may have gotten corrupted . Hopefully thet is why norton is throwing fits
Lets try a regfix
download this attachment[attachment=14026:restoreSC.zip]
Download it to your desktop.
Unzip it. This will create a new folder on your desktop with the name restoreSC
Open that folder and doubleclick restoreSC.reg
It will ask if you want to merge the contents into the registry. Click yes at the prompt.

Reboot << important


Post a hijack log and Let me know if this solves the problem

Thanks
  • 0

#13
Dgtzd

Dgtzd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Loophole,

I'm still getting a pop up saying symantec auto protect has been disabled, and I still can't start the Symantec Firewall.

I am getting a windows alert saying that my computer has no virus protection also, but I have symatec installed and I just finished an update before running HijackThis.

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:18:44 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\ExpServer.exe
C:\WINDOWS\system32\portmap.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176066089218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143772618515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ExpServer - SILVACO International - C:\WINDOWS\SYSTEM32\ExpServer.exe
O23 - Service: FwSRService - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\fwsrservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ONC/RPC Portmapper (Portmap) - Unknown owner - C:\WINDOWS\system32\portmap.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: SILVACO Floating License Manager (SilvacoSflm) (SilvacoSflm) - Unknown owner - C:\Silvaco\lib\rpc.sflmserverd\4.8.0.R\x86-nt\rpc.sflmserverd.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe


Thank you.

Edited by Dgtzd, 18 April 2007 - 05:25 PM.

  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

I havent forgot about you, work has been a bear. I will reply tomorrow.
  • 0

#15
Dgtzd

Dgtzd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hey Loophole,

Thanks for the continued support.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP