Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Multiple Trojan Related Issues [RESOLVED]


  • This topic is locked This topic is locked

#1
Raine Dragon

Raine Dragon

    Member

  • Member
  • PipPip
  • 11 posts
So, about 30 hours ago I miss-typed a link, and next thing I know I've got the classic 'bad' scenario. web browser locks up as it says it's downloading a million things. I killed the web browser via the task manager, and then turned to the series of security pop-ups from Norton which mentioned a variety of Trojans (and in my haste, I did not write down the names, I'm sorry). So, I run ad-aware and norton, delete them, and I thought I was fine.

Then, about 20 hours later I'm watching a DVD and suddenly I've got a bunch of things going on again. I again killed the web browser which I had opened in the background (the site it was on was clean to the extent of my knoledge though, considering its owned by a friend of mine and she manages the server machine...), I killed my connection to the internet through norton and told norton not to let any of these applications access to the internet. I then downloaded AVG and ran more scans. While it was scanning, I went to clean house. I came back and a lot of files that were part of applications were infected. I reluctantly dumped them into the quarantined area and then deleted them altogether. I then re-scaned the computer and it came out clean.

Then it started talking. In like.. Chinese or Japaneses.. I wasn't listening very closely. But anyway, it sounded like a horror movie soundtrack playing, and there was no music or movie application running on my PC. I cut the web connection off, and the sound stopped. Ran the scan again, and it still found nothing.

I'm desperate by this point, so I restart the PC, and chose to restore the PC to it's state as of 7:00 this evening, which is as far back as I can go.

When windows came up, I was faced with nearly all the apps that started up with my PC being gone (these are all the ones that were infected). One of those being norton. I went to run it to see if it was alright, but autoprotect and security are turned off, and when I try to stop web traffic it tells me "Restricted accounts are not aloud to block or allow traffic". (this account has always had full 'admin' stats). There was also an issue when I first started up, though I'm not sure if I have resolved it yet. I'll let you know as soon as I restart.

The trojans I remember are:
downloader.zlob.rn
broadcastpc
Dropper.Aggent.GIT
::edit::
I've also now picked up
Win32:CTX
generic9.AVOW
::end edit::


So, I ran CCleaner to try to clean up some more.. and then I ran HijackThis.

This is my result:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:02:17 AM, on 2/3/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:F:\WINDOWS\System32\smss.exeF:\WINDOWS\system32\winlogon.exeF:\WINDOWS\system32\services.exeF:\WINDOWS\system32\lsass.exeF:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exeF:\WINDOWS\system32\svchost.exeF:\WINDOWS\System32\svchost.exeF:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exeF:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeF:\WINDOWS\system32\spoolsv.exeF:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeF:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeF:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeF:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeF:\PROGRA~1\Grisoft\AVG7\avgemc.exeF:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeF:\WINDOWS\system32\cisvc.exeF:\Program Files\Executive Software\DiskeeperLite\DKService.exeF:\Program Files\Norton AntiVirus\navapsvc.exeF:\Program Files\Norton Internet Security\NISUM.EXEF:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeF:\WINDOWS\Explorer.EXEF:\WINDOWS\System32\svchost.exeF:\WINDOWS\system32\Tablet.exeF:\WINDOWS\System32\MsPMSPSv.exeF:\Program Files\Norton Internet Security\ccPxySvc.exeF:\WINDOWS\system32\ctfmon.exeF:\WINDOWS\system32\wuauclt.exeF:\WINDOWS\SOUNDMAN.EXEF:\Program Files\NETGEAR\WG311v3\wlancfg5.exeF:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEF:\WINDOWS\system32\WTablet\TabUserW.exeF:\Program Files\Grisoft\AVG7\avgwb.datF:\WINDOWS\system32\notepad.exeF:\WINDOWS\system32\cidaemon.exeF:\WINDOWS\system32\cidaemon.exeF:\Program Files\Internet Explorer\iexplore.exeF:\Program Files\Mozilla Firefox\firefox.exeF:\Program Files\Internet Explorer\iexplore.exeF:\WINDOWS\system32\ZoneLabs\vsmon.exeF:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exeF:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html"]http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.varusonline.com/"]http://www.varusonline.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.yahoo.com"]http://www.yahoo.com[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com"]http://www.yahoo.com[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com[/url]F3 - REG:win.ini: load=F:\WINDOWS\system32\vtsqo.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {946FD2A3-A9BE-4516-BFE4-366F5194C441} - F:\WINDOWS\system32\vtsqo.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [farstone] NULLO4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEO4 - Global Startup: TabUserW.exe.lnk = F:\WINDOWS\system32\WTablet\TabUserW.exeO9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dllO9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dllO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .htm: F:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dllO12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://F:\TempEI4\EI40_\msxml4.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url="http://acs.pandasoftware.com/activescan/as5free/asinst.cab"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [url="http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe"]http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe[/url]O20 - Winlogon Notify: tuvtspp - F:\WINDOWS\SYSTEM32\tuvtspp.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\ccPxySvc.exeO23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperLite\DKService.exeO23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exeO23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXEO23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeO23 - Service: TabletService - Wacom Technology, Corp. - F:\WINDOWS\system32\Tablet.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exeO24 - Desktop Component 0: (no name) - [url="http://s.deviantart.com/styles/blank.png"]http://s.deviantart.com/styles/blank.png[/url]O24 - Desktop Component 1: (no name) - [url="http://ic3.deviantart.com/fs15/f/2006/353/4/a/Candle_ani_1_by_rainedragon.gif"]http://ic3.deviantart.com/fs15/f/2006/353/...rainedragon.gif[/url]O24 - Desktop Component 2: (no name) - [url="http://fc01.deviantart.com/fs11/i/2006/224/a/c/Raine_Dragon_by_rainedragon.gif"]http://fc01.deviantart.com/fs11/i/2006/224...rainedragon.gif[/url]O24 - Desktop Component 3: (no name) - [url="http://ic3.deviantart.com/fs11/i/2006/169/e/6/Happy_Birthday_Varus_by_rainedragon.gif"]http://ic3.deviantart.com/fs11/i/2006/169/...rainedragon.gif[/url]O24 - Desktop Component 4: (no name) - [url="http://fc01.deviantart.com/fs11/i/2006/224/5/c/Varus_V_day_by_rainedragon.gif"]http://fc01.deviantart.com/fs11/i/2006/224...rainedragon.gif[/url]--End of file - 10468 bytes

Re-scanned after further disinfection:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:24:29 PM, on 2/3/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:F:\WINDOWS\System32\smss.exeF:\WINDOWS\system32\winlogon.exeF:\WINDOWS\system32\services.exeF:\WINDOWS\system32\lsass.exeF:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exeF:\WINDOWS\system32\svchost.exeF:\WINDOWS\System32\svchost.exeF:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exeF:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeF:\Program Files\Alwil Software\Avast4\aswUpdSv.exeF:\Program Files\Alwil Software\Avast4\ashServ.exeF:\WINDOWS\system32\spoolsv.exeF:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeF:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeF:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeF:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeF:\PROGRA~1\Grisoft\AVG7\avgemc.exeF:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeF:\WINDOWS\system32\cisvc.exeF:\Program Files\Executive Software\DiskeeperLite\DKService.exeF:\Program Files\Norton AntiVirus\navapsvc.exeF:\Program Files\Norton Internet Security\NISUM.EXEF:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeF:\WINDOWS\System32\svchost.exeF:\WINDOWS\system32\Tablet.exeF:\WINDOWS\system32\ZoneLabs\vsmon.exeF:\WINDOWS\System32\MsPMSPSv.exeF:\Program Files\Norton Internet Security\ccPxySvc.exeF:\WINDOWS\Explorer.EXEF:\WINDOWS\system32\ctfmon.exeF:\WINDOWS\SOUNDMAN.EXEF:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeF:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\AIM\aim.exeF:\Program Files\NETGEAR\WG311v3\wlancfg5.exeF:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEF:\WINDOWS\system32\WTablet\TabUserW.exeF:\Program Files\Grisoft\AVG7\avgwb.datF:\WINDOWS\system32\wuauclt.exeF:\PROGRA~1\MOZILL~1\FIREFOX.EXEF:\Program Files\Trend Micro\HijackThis\HijackThis.exeF:\WINDOWS\notepad.exeF:\WINDOWS\system32\cidaemon.exeF:\WINDOWS\system32\cidaemon.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html"]http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.varusonline.com/"]http://www.varusonline.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.yahoo.com"]http://www.yahoo.com[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com"]http://www.yahoo.com[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com[/url]F3 - REG:win.ini: load=F:\WINDOWS\system32\vtsqo.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {946FD2A3-A9BE-4516-BFE4-366F5194C441} - F:\WINDOWS\system32\vtsqo.dll (file missing)O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [farstone] NULLO4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEO4 - Global Startup: TabUserW.exe.lnk = F:\WINDOWS\system32\WTablet\TabUserW.exeO9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dllO9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dllO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .htm: F:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dllO12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://F:\TempEI4\EI40_\msxml4.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url="http://acs.pandasoftware.com/activescan/as5free/asinst.cab"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [url="http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe"]http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe[/url]O20 - Winlogon Notify: tuvtspp - tuvtspp.dll (file missing)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\ccPxySvc.exeO23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperLite\DKService.exeO23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exeO23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXEO23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeO23 - Service: TabletService - Wacom Technology, Corp. - F:\WINDOWS\system32\Tablet.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 9981 bytes

On start up I get these errors:

F:\WINDOWS\system32\vtsqo.exe-----------------------------Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.[ ok ]



Desktop-----------------------------Could not load or run 'F:\WINDOWS\system32\vtsqo.exe' specified in the registry. Make sure the file exsists on your computer or remove the reference to it in the registry.[ ok ]

That executable file doesn't exist on my other system, which runs the same OS and maybe.. 75% of the same apps. (its actually technically just the older drive for this system; the boot sector went bad (oddly enough, it seems to work if the room temp. is below 72F) so I shoved it in the back of the case and use it for temp. file storage space.)

And I keep getting back this zone alarm blocking access to my system from 192.168.79.1 on port 19694. And when I say I keep getting it, I get 3 hits about 20 seconds apart, then it stops and waits about 8 min, then another 3 hits 20 seconds apart..
Network Solutions lists this as ' Internet Assigned Numbers Authority ' though, so does that mean that it's not actually a problem, or is someone hiding behind a false IP?

I also ran a panda active scan which came out with:
Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        Adware:adware/outerinfo                                                         Not disinfected               Windows Registry                                                                                                                                                                                                                                                Spyware:spyware/virtumonde                                                      Not disinfected               Windows Registry                                                                                                                                                                                                                                                Adware:adware/alexa-toolbar                                                     Not disinfected               Windows Registry                                                                                                                                                                                                                                                                                                                                                                                                                                        Spyware:Cookie/FastClick                                                        Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.fastclick.net/]                                                                                                                                           Spyware:Cookie/Tribalfusion                                                     Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.tribalfusion.com/]                                                                                                                                        Spyware:Cookie/Doubleclick                                                      Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.doubleclick.net/]                                                                                                                                         Spyware:Cookie/Atlas DMT                                                        Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.atdmt.com/]                                                                                                                                               Spyware:Cookie/Toplist                                                          Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.toplist.cz/]                                                                                                                                              Spyware:Cookie/BurstNet                                                         Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.burstnet.com/]                                                                                                                                            Spyware:Cookie/Apmebf                                                           Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.apmebf.com/]                                                                                                                                              Spyware:Cookie/YieldManager                                                     Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[ad.yieldmanager.com/]                                                                                                                                      Spyware:Cookie/Com.com                                                          Not disinfected               F:\Documents and Settings\WES\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\cookies.txt[.com.com/]                                                                                                                                                 Possible Virus.                                                                 Not disinfected               F:\Documents and Settings\WES\Desktop\OiUninstaller.exe[UE.exe]                                                                                                                                                                                                 Possible Virus.                                                                 Not disinfected               F:\Documents and Settings\WES\Local Settings\Application Data\Mozilla\Firefox\Profiles\nh8bfa4r.default\Cache\92941175d01[UE.exe]                                                                                                                               Hacktool:HackTool/KillProcWin.A                                                 Not disinfected               F:\Documents and Settings\WES\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0E.dat[simple_killw.exe]                                                                                                                                               Hacktool:HackTool/KillProcWin.A                                                 Not disinfected               F:\Documents and Settings\WES\Local Settings\Temp\CDASilentInstall0501.exe[simple_killw.exe]                                                                                                                                                                    Spyware:Cookie/Atwola                                                           Not disinfected               F:\Documents and Settings\WES\Local Settings\Temp\Cookies\[email protected][1].txt                                                                                                                                                                                     Adware:Adware/Yazzle                                                            Not disinfected               F:\Program Files\Common Files\Yazzle1552OinAdmin.exe                                                                                                                                                                                                            Adware:Adware/Yazzle                                                            Not disinfected               F:\Program Files\Common Files\Yazzle1552OinUninstaller.exe                                                                                                                                                                                                      Adware:Adware/Yazzle                                                            Not disinfected               F:\WINDOWS\system32\000070.exe

I guess, I just want to know if I got it all... and if not, what more do I need to do.
Also, it would be nice if someone happened to know how I can fix Norton without uninstalling/re-installing it as I seem to have left the disk at my parent's house 500 miles away... But that's not major; I can always use AVG or ZoneAlarm.

Edited by Raine Dragon, 03 February 2008 - 11:25 AM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please don't put the logs in code boxes


Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
Raine Dragon

Raine Dragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry about that, I wasn't sure if the logs contained any characters that would cause issues; I know some forums are picky about things ^^;

Sorry about the delay, A client and a professor both expected work done by today, so I had to swap the drive out for one that was working (but it's a borrowed one ^^; so I do need to fix this one, if possible )




________________________________________________________________________________
________________
________________________________________________________________________________
________________






ComboFix 08-02.05.3 - WES 2008-02-06 19:42:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT -5:00]
Running from: F:\Documents and Settings\WES\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
F:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
F:\WINDOWS\md_dte.dll
F:\WINDOWS\system32\000090.exe
F:\WINDOWS\system32\oqstv.ini
F:\WINDOWS\system32\oqstv.ini2

----- BITS: Possible infected sites -----

hxxp://80.93.48.74

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-03 12:51 . 2008-02-03 12:51 27,885 --a------ F:\Documents and Settings\WES\x.exe
2008-02-03 01:00 . 2008-02-03 01:00 <DIR> d-------- F:\Program Files\Trend Micro
2008-02-03 00:58 . 2008-02-03 01:00 4,212 ---h----- F:\WINDOWS\system32\zllictbl.dat
2008-02-03 00:56 . 2008-02-03 14:29 <DIR> d-------- F:\WINDOWS\Internet Logs
2008-02-03 00:52 . 2008-02-03 02:48 2,550 --a------ F:\WINDOWS\system32\Uninstall.ico
2008-02-03 00:52 . 2008-02-03 02:48 1,406 --a------ F:\WINDOWS\system32\Help.ico
2008-02-03 00:26 . 2008-02-03 00:26 <DIR> d-------- F:\Program Files\Alwil Software
2008-01-30 18:24 . 2008-02-01 23:46 <DIR> d-------- F:\Documents and Settings\WES\Application Data\Media Player Classic
2008-01-30 18:15 . 2008-01-30 18:15 <DIR> d-------- F:\Program Files\Easy DVD Player
2008-01-30 17:51 . 2005-06-21 16:43 163,840 --a------ F:\WINDOWS\system32\igfxres.dll
2008-01-30 17:28 . 2008-01-30 17:28 <DIR> d-------- F:\DECCHECK
2008-01-15 01:40 . 2008-02-03 12:05 <DIR> d-------- F:\Documents and Settings\WES\Application Data\AVG7
2008-01-15 01:40 . 2008-01-15 01:40 <DIR> d-------- F:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 01:40 . 2008-01-15 01:40 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-15 01:40 . 2008-01-15 01:43 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\avg7
2008-01-14 20:33 . 2008-01-14 20:33 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 20:29 . 2008-01-14 20:29 <DIR> d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 18:30 . 2008-01-15 00:09 <DIR> d-------- F:\Program Files\EasyPHP 2.0b1
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ F:\WINDOWS\system32\divxdec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 19:23 --------- d-----w F:\Program Files\Common Files\Roxio Shared
2008-02-03 17:51 --------- d-----w F:\Program Files\VisualRoute
2008-02-03 17:03 --------- d-----w F:\Program Files\SymNetDrv
2008-02-03 17:03 --------- d-----w F:\Program Files\QuickTime
2008-02-03 17:03 --------- d-----w F:\Program Files\MSN Messenger
2008-02-03 17:03 --------- d-----w F:\Program Files\Conversions Plus
2008-02-03 17:03 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2008-02-03 14:41 --------- d-----w F:\Program Files\Norton Internet Security
2008-02-03 14:40 --------- d-----w F:\Program Files\Norton AntiVirus
2008-02-02 20:48 --------- d-----w F:\Program Files\Trillian
2008-01-30 23:07 --------- d-----w F:\Program Files\DivX
2008-01-30 23:01 --------- d-----w F:\Program Files\Zoom Player
2008-01-30 22:16 --------- d-----w F:\Documents and Settings\WES\Application Data\dvdcss
2008-01-20 05:00 --------- d-----w F:\Program Files\MyDB Studio
2008-01-15 01:39 --------- d-----w F:\Program Files\Lavasoft
2008-01-15 01:39 --------- d-----w F:\Documents and Settings\WES\Application Data\Lavasoft
2008-01-08 01:59 --------- d-----w F:\Documents and Settings\WES\Application Data\.BitTornado
2008-01-01 14:16 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 22:56 --------- d-----w F:\Program Files\Safari
2007-12-18 05:39 --------- d-----w F:\Documents and Settings\WES\Application Data\Move Networks
2007-12-18 02:55 --------- d-----w F:\Program Files\Messenger Plus! Live
2007-12-15 04:10 --------- d-----w F:\Program Files\K-Lite Codec Pack
2007-12-15 04:09 --------- d-----w F:\Program Files\DirectVobSub
2007-12-11 03:56 --------- d-----w F:\Documents and Settings\WES\Application Data\Apple Computer
2007-12-09 08:15 --------- d-----w F:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-09 07:06 --------- d-----w F:\Program Files\Common Files\Adobe Systems Shared
2007-12-09 07:06 --------- d-----w F:\Program Files\Common Files\Adobe
2007-12-09 03:22 --------- d-----w F:\Program Files\Windows Media Components
2005-10-06 20:17 280,576 ----a-w F:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2005-10-06 20:17 280,576 ----a-w F:\WINDOWS\inf\WG311v3\WG311v3.sys
2005-06-29 18:33 159,744 ----a-w F:\Documents and Settings\WES\Setup.exe
2005-06-29 18:32 69,632 ----a-w F:\Documents and Settings\WES\Instngin.dll
2005-03-01 16:16 212,992 ----a-w F:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2003-05-14 15:17 106,496 ----a-w F:\Documents and Settings\WES\PCIUtil.dll
1998-12-09 02:53 99,840 ----a-w F:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w F:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w F:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w F:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w F:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w F:\Program Files\Common Files\IRASRIAL.DLL
2007-01-01 00:57 32 --sha-w F:\WINDOWS\{82E74617-66F3-4ABA-AE09-262E2F7323BB}.dat
2007-01-01 00:57 32 --sha-w F:\WINDOWS\{ED938A0E-92B1-47FD-B90B-EAD5464AF22B}.dat
2007-01-01 00:57 32 --sha-w F:\WINDOWS\system32\{250B8871-4049-460E-8223-8CE429EC4726}.dat
2007-01-01 00:57 32 --sha-w F:\WINDOWS\system32\{491A6A73-E483-49ED-A798-9E3F7C38B9D9}.dat
.
<pre>
----a-w		   579,072 2008-02-02 20:37:11  F:\Program Files\Grisoft\AVG7\avgcc .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{946FD2A3-A9BE-4516-BFE4-366F5194C441}]
F:\WINDOWS\system32\vtsqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 14:08 67160]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 18:53 54784 F:\WINDOWS\SOUNDMAN.EXE]
"farstone"="NULL" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-15 01:40 219136]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 00:12:18 113664]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
NETGEAR WG311v3 Smart Wizard.lnk - F:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2007-01-03 21:56:54 1078]
Symantec Fax Starter Edition Port.lnk - F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54 45568]
TabUserW.exe.lnk - F:\WINDOWS\system32\WTablet\TabUserW.exe [2007-07-07 18:11:41 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspp]
tuvtspp.dll

R0 MacOpen;MacOpen;F:\WINDOWS\system32\drivers\MacOpen.sys [1997-06-27 08:22]
R0 VVBackd5;VVBackd5;F:\WINDOWS\system32\drivers\VVBackd5.sys [2003-01-20 04:21]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 03:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 02:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5aa3d51-5c21-11dc-80dd-00146c735af2}]
\Shell\AutoRun\command - G:\LaunchU3.exe

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 18:06:31 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 01:08:07 F:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- F:\PROGRA~1\NORTON~1\NAVW32.exeG/task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~2\Tasks\mycomp.sca
"2007-01-01 01:15:33 F:\WINDOWS\Tasks\Symantec NetDetect.job"
- F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 19:50:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
F:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Executive Software\DiskeeperLite\DKService.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\system32\Tablet.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Norton Internet Security\ccPxySvc.exe
F:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
.
**************************************************************************
.
Completion time: 2008-02-06 19:55:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 00:54:58



________________________________________________________________________________
________________
________________________________________________________________________________
________________



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:02 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Executive Software\DiskeeperLite\DKService.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Tablet.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Norton Internet Security\ccPxySvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AIM\aim.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
F:\WINDOWS\system32\WTablet\TabUserW.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.varusonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {946FD2A3-A9BE-4516-BFE4-366F5194C441} - F:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: TabUserW.exe.lnk = F:\WINDOWS\system32\WTablet\TabUserW.exe
O12 - Plugin for .htm: F:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://F:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: tuvtspp - tuvtspp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - F:\WINDOWS\system32\Tablet.exe

--
End of file - 7390 bytes



________________________________________________________________________________
________________
________________________________________________________________________________
________________



""*Newly Created Service* - HTTPFILTER"" is mentioned in there, and I just wanted to mention that I am having issues with HTTPS (secure hyper text transfer protocol) under every browser on my system despite doing everything suggested by microsoft to repair this issue. This page: http://www.softwaret...HTTPFilter.html says that this is the thing that makes them work, right?

Just thought I'd mention it because it stuck out to me, and it's a big problem for me since I can't get into any online e-mail or online classes @[email protected] without secure HTTP.

Edited by Raine Dragon, 06 February 2008 - 10:28 PM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Remind me about the HTTP problem at the end

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {946FD2A3-A9BE-4516-BFE4-366F5194C441} - F:\WINDOWS\system32\vtsqo.dll (file missing)
O20 - Winlogon Notify: tuvtspp - tuvtspp.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
F:\Documents and Settings\WES\x.exe
F:\WINDOWS\system32\vtsqo.dll
G:\LaunchU3.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5aa3d51-5c21-11dc-80dd-00146c735af2}]

RenV::
----a-w 579,072 2008-02-02 20:37:11 F:\Program Files\Grisoft\AVG7\avgcc .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#5
Raine Dragon

Raine Dragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:25 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Executive Software\DiskeeperLite\DKService.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Tablet.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Norton Internet Security\ccPxySvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AIM\aim.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
F:\WINDOWS\system32\WTablet\TabUserW.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.varusonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: TabUserW.exe.lnk = F:\WINDOWS\system32\WTablet\TabUserW.exe
O12 - Plugin for .htm: F:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://F:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: PACSPTISVR - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - F:\WINDOWS\system32\Tablet.exe

--
End of file - 7154 bytes

_________________________________________________________________



Did you want the Combofix log? I wasn't sure, so I've included it as well.


ComboFix 08-02.05.3 - WES 2008-02-07 19:19:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.617 [GMT -5:00]
Running from: F:\Documents and Settings\WES\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\WES\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
F:\Documents and Settings\WES\x.exe
F:\WINDOWS\system32\vtsqo.dll
G:\LaunchU3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\WES\x.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-03 01:00 . 2008-02-03 01:00 <DIR> d-------- F:\Program Files\Trend Micro
2008-02-03 00:58 . 2008-02-03 01:00 4,212 ---h----- F:\WINDOWS\system32\zllictbl.dat
2008-02-03 00:56 . 2008-02-03 14:29 <DIR> d-------- F:\WINDOWS\Internet Logs
2008-02-03 00:52 . 2008-02-03 02:48 2,550 --a------ F:\WINDOWS\system32\Uninstall.ico
2008-02-03 00:52 . 2008-02-03 02:48 1,406 --a------ F:\WINDOWS\system32\Help.ico
2008-02-03 00:26 . 2008-02-03 00:26 <DIR> d-------- F:\Program Files\Alwil Software
2008-01-30 18:24 . 2008-02-01 23:46 <DIR> d-------- F:\Documents and Settings\WES\Application Data\Media Player Classic
2008-01-30 18:15 . 2008-01-30 18:15 <DIR> d-------- F:\Program Files\Easy DVD Player
2008-01-30 17:51 . 2005-06-21 16:43 163,840 --a------ F:\WINDOWS\system32\igfxres.dll
2008-01-30 17:28 . 2008-01-30 17:28 <DIR> d-------- F:\DECCHECK
2008-01-15 01:40 . 2008-02-03 12:05 <DIR> d-------- F:\Documents and Settings\WES\Application Data\AVG7
2008-01-15 01:40 . 2008-01-15 01:40 <DIR> d-------- F:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 01:40 . 2008-01-15 01:40 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-15 01:40 . 2008-01-15 01:43 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\avg7
2008-01-14 20:33 . 2008-01-14 20:33 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 20:29 . 2008-01-14 20:29 <DIR> d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 18:30 . 2008-01-15 00:09 <DIR> d-------- F:\Program Files\EasyPHP 2.0b1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 12:18 --------- d-----w F:\Program Files\Trillian
2008-02-03 19:23 --------- d-----w F:\Program Files\Common Files\Roxio Shared
2008-02-03 17:51 --------- d-----w F:\Program Files\VisualRoute
2008-02-03 17:03 --------- d-----w F:\Program Files\SymNetDrv
2008-02-03 17:03 --------- d-----w F:\Program Files\QuickTime
2008-02-03 17:03 --------- d-----w F:\Program Files\MSN Messenger
2008-02-03 17:03 --------- d-----w F:\Program Files\Conversions Plus
2008-02-03 17:03 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2008-02-03 14:41 --------- d-----w F:\Program Files\Norton Internet Security
2008-02-03 14:40 --------- d-----w F:\Program Files\Norton AntiVirus
2008-01-30 23:07 --------- d-----w F:\Program Files\DivX
2008-01-30 23:01 --------- d-----w F:\Program Files\Zoom Player
2008-01-30 22:16 --------- d-----w F:\Documents and Settings\WES\Application Data\dvdcss
2008-01-20 05:00 --------- d-----w F:\Program Files\MyDB Studio
2008-01-15 01:39 --------- d-----w F:\Program Files\Lavasoft
2008-01-15 01:39 --------- d-----w F:\Documents and Settings\WES\Application Data\Lavasoft
2008-01-08 01:59 --------- d-----w F:\Documents and Settings\WES\Application Data\.BitTornado
2008-01-04 21:59 524,288 ----a-w F:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w F:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w F:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w F:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w F:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w F:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w F:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w F:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w F:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w F:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w F:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w F:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w F:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w F:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w F:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w F:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w F:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w F:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-01 14:16 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 22:56 --------- d-----w F:\Program Files\Safari
2007-12-18 05:39 --------- d-----w F:\Documents and Settings\WES\Application Data\Move Networks
2007-12-18 02:55 --------- d-----w F:\Program Files\Messenger Plus! Live
2007-12-15 04:10 --------- d-----w F:\Program Files\K-Lite Codec Pack
2007-12-15 04:09 --------- d-----w F:\Program Files\DirectVobSub
2007-12-11 03:56 --------- d-----w F:\Documents and Settings\WES\Application Data\Apple Computer
2007-12-09 08:15 --------- d-----w F:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-09 07:06 --------- d-----w F:\Program Files\Common Files\Adobe Systems Shared
2007-12-09 07:06 --------- d-----w F:\Program Files\Common Files\Adobe
2007-12-09 03:22 --------- d-----w F:\Program Files\Windows Media Components
2007-12-05 04:02 78,440 ----a-w F:\WINDOWS\system32\PGPlspRollback.reg
2005-10-06 20:17 280,576 ----a-w F:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2005-10-06 20:17 280,576 ----a-w F:\WINDOWS\inf\WG311v3\WG311v3.sys
2005-06-29 18:33 159,744 ----a-w F:\Documents and Settings\WES\Setup.exe
2005-06-29 18:32 69,632 ----a-w F:\Documents and Settings\WES\Instngin.dll
2005-03-01 16:16 212,992 ----a-w F:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2003-05-14 15:17 106,496 ----a-w F:\Documents and Settings\WES\PCIUtil.dll
1998-12-09 02:53 99,840 ----a-w F:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w F:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w F:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w F:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w F:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w F:\Program Files\Common Files\IRASRIAL.DLL
2007-01-01 00:57 32 --sha-w F:\WINDOWS\{82E74617-66F3-4ABA-AE09-262E2F7323BB}.dat
2007-01-01 00:57 32 --sha-w F:\WINDOWS\{ED938A0E-92B1-47FD-B90B-EAD5464AF22B}.dat
2007-01-01 00:57 32 --sha-w F:\WINDOWS\system32\{250B8871-4049-460E-8223-8CE429EC4726}.dat
2007-01-01 00:57 32 --sha-w F:\WINDOWS\system32\{491A6A73-E483-49ED-A798-9E3F7C38B9D9}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 14:08 67160]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 18:53 54784 F:\WINDOWS\SOUNDMAN.EXE]
"farstone"="NULL" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-15 01:40 219136]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 00:12:18 113664]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
NETGEAR WG311v3 Smart Wizard.lnk - F:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2007-01-03 21:56:54 1078]
Symantec Fax Starter Edition Port.lnk - F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54 45568]
TabUserW.exe.lnk - F:\WINDOWS\system32\WTablet\TabUserW.exe [2007-07-07 18:11:41 114688]

R0 MacOpen;MacOpen;F:\WINDOWS\system32\drivers\MacOpen.sys [1997-06-27 08:22]
R0 VVBackd5;VVBackd5;F:\WINDOWS\system32\drivers\VVBackd5.sys [2003-01-20 04:21]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 03:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;F:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 02:40]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 18:06:31 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 01:08:07 F:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- F:\PROGRA~1\NORTON~1\NAVW32.exeG/task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~2\Tasks\mycomp.sca
"2007-01-01 01:15:33 F:\WINDOWS\Tasks\Symantec NetDetect.job"
- F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 19:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-07 19:25:16
ComboFix-quarantined-files.txt 2008-02-08 00:25:13
ComboFix2.txt 2008-02-07 00:55:03
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nearly done now

You have two anti-virus programs running, AVG and Norton, so you need to remove one of these


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Also tell me how your PC is running
  • 0

#7
Raine Dragon

Raine Dragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I missed a step in the instructions, so I'm going through and re-scanning, (I only scanned F: which is my primary hard-drive. I went back in and now it's scanning both F: and C:. C: is and old hard drive with a bad boot sector which I only have hanging around for file storage, and I only scan it occasionally.. or when I've actually added/removed files.) but this is what the first scan log was:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2008 at 10:32 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:08:56

Memory items scanned : 394
Memory threats detected : 0
Registry items scanned : 7460
Registry threats detected : 0
File items scanned : 40376
File threats detected : 5

Adware.Tracking Cookie
F:\Documents and Settings\WES\Cookies\[email protected][2].txt
F:\Documents and Settings\WES\Cookies\[email protected][1].txt
F:\Documents and Settings\WES\Cookies\[email protected][1].txt

Adware.ClickSpring/Outer Info Network
F:\DOCUMENTS AND SETTINGS\WES\DESKTOP\OIUNINSTALLER.EXE

Adware.ClickSpring/Yazzle
F:\QOOBOX\QUARANTINE\F\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE.VIR

Edited by Raine Dragon, 07 February 2008 - 09:48 PM.

  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You can leave the other drive, your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
Raine Dragon

Raine Dragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok. I've got Combofix uninstalled, I've got Norton Uninstalled (I'm keeping AVG), I've got Java Uninstalled (But now I can't get it back because it's on a secure HTTP page. I'm going to swap the drives so I can download it and then transfer the installation file onto this drive so I can install it though.)

IE-Spyad is a nice app, but I don't use Internet Explorer. I've found Firefox to be much more compliant with web standards, as well as a more stable and secure application. I really only keep the other browsers I have for compatibility testing.

I've now installed:
SpywareBlaster
SpywareGuard

I'm skipping the IE security settings change as I currently only use IE for testing web pages I've coded and change the setting periodically for page testing purposes.

As for how I got infected; I've got that down. ^^; my Norton was out of date because I don't have a paid subscription, I miss typed a URL, landed on a page with an auto-download built into an auto-start video file... AVG seems much more competent then the old Norton, and I've also added ZoneAlarm Firewall. I really hadn't realized just how out of date norton had gotten; I wasn't really paying much attention... especially as I tend not to have such problems; I'm generally very careful about where I go online. I've certainly learned my lesson >.<;

----------------------------------------------------------------------------------------------

I seem to only have one problem left, and that is that I can not view secure HTTP pages. I've already checked my browser settings and tried multiple browsers with no success, and it doesn't seem like my security is blocking them, as I tried accessing a server I know to be clean (it belongs to my web professor) with my web security disabled and was still unable to connect. The browser does everything right; it just comes back with a connection error; the same sort of one I would get if I was trying to view a web page without being connected to the internet


Thank you so much for all of your help thus far; I really, really appreciate it. ^___^

Edited by Raine Dragon, 08 February 2008 - 08:35 AM.

  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Not sure what is causing your HTTP problem, maybe post in the Windows XP forum about that

Any more questions ?
  • 0

#11
Raine Dragon

Raine Dragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Nope, I think thats the only thing left. ^_^

Thank you so much for all of your help!
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP