Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinAnonymous? Adware problem- hijackthis log included [RESOLVED]


  • This topic is locked This topic is locked

#1
Ace Brown

Ace Brown

    Member

  • Member
  • PipPip
  • 26 posts
Hello, here is the attached hijack this log.

Symptoms are pop-up ads, and it seems like when i'm on a website, something causes an "invisible window" to pop up. hard to explain, the dark blue bar at the top of Internet Explorer turns light blue and i can no longer continue typing, scrolling with mouse wheel, etc. as if i had clicked on a new window. It works again once i click anywhere on my regular window.

That's mildly annoying, the biggest pest are the ads. they are varied from Boact Systems LTD. to Area Connect, to Edmunds.com, dating services, NoAdware.com, and other various.

If i didn't do something right before posting, i apologize. Thanks for your help
-ace

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:43 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\lxcycoms.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJack THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gocatgo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fasoft.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [0bca97a7] rundll32.exe "C:\WINDOWS\system32\puudqfdb.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9038 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Ace Brown

Welcome to G2Go. :)
===============
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
Ace Brown

Ace Brown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hello, thanks for the fast reply and for the hospitality :) ! Here's the logs:


ComboFix Log:
ComboFix 08-02-20.2 - Compaq_Owner 2008-02-19 21:59:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\rqrpomk.dll
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\qula.dll
C:\Program Files\network monitor
C:\Program Files\Online Services\qadi89104.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bdfqduup.ini
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\nGpxx18\nGpxx182328.exe
C:\WINDOWS\system32\oaqjuhib.dll
C:\WINDOWS\system32\p9
C:\WINDOWS\system32\p9\liopud89104.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\puudqfdb.dll
C:\WINDOWS\system32\rqrpomk.dll
C:\WINDOWS\system32\w11
C:\WINDOWS\system32\w11\hiba3133.exe
C:\WINDOWS\tk58.exe
D:\Autorun.inf
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 17:09 . 2008-02-19 17:26 <DIR> d-------- C:\Program Files\HiJack THIS
2008-02-19 17:04 . 2008-02-19 17:04 <DIR> d-------- C:\Program Files\Panda Security
2008-02-19 16:32 . 2008-02-19 16:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-19 16:32 . 2008-02-19 16:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-18 22:14 . 2008-02-18 22:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-18 22:11 . 2008-02-19 22:00 <DIR> d-------- C:\Temp
2008-02-09 10:47 . 2008-02-09 10:47 <DIR> d-------- C:\Program Files\MySpace
2008-02-09 10:47 . 2008-02-09 10:47 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\MySpace
2008-01-22 20:38 . 2008-01-22 20:38 0 --a------ C:\.autoreg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 20:44 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\n-Track Studio5
2008-02-19 03:31 --------- d-----w C:\Program Files\Incomplete
2008-02-19 03:30 --------- d-----w C:\Program Files\SHARE
2008-02-19 03:14 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-02-04 23:52 3,368 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-02-03 20:12 --------- d-----w C:\Program Files\lx_cats
2008-02-01 03:24 --------- d-----w C:\Program Files\Java
2008-01-23 16:23 --------- d-----w C:\Program Files\Google
2008-01-16 01:32 --------- d-----w C:\Program Files\Real
2008-01-07 19:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-07 16:49 --------- d-----w C:\Program Files\music_now
2008-01-07 15:35 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Grisoft
2008-01-07 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 05:27 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2008-01-07 04:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-07 04:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-07 04:55 --------- d-----w C:\Program Files\Symantec
2008-01-07 04:27 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\SpywareBot
2008-01-03 20:18 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-12-20 02:09 --------- d-----w C:\Program Files\FASoft
2007-12-20 02:06 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\n-Track Studio
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E015787-B1E3-404a-95DE-3E71E1FA0305}]
C:\WINDOWS\system32\spads.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 11:17 68856]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 12:23 15961088 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-01 08:02 7311360]
"nwiz"="nwiz.exe" [2005-12-01 08:02 1519616 C:\WINDOWS\system32\nwiz.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 18:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 12:29 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-13 22:23 663552]
"DeltTray"="DeltTray.exe" [2003-12-09 20:53 56320 C:\WINDOWS\system32\delttray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-21 22:48 180269]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2006-03-06 12:48 286720]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2006-02-07 00:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 03:11 290816]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 06:54 65536]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-02-21 22:21:17 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-27 16:17:46 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2006-02-20 14:23]
S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 04:42]
S3 jswmidin;jswmidin;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys []

*Newly Created Service* - HTTPFILTER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 22:13:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
.
**************************************************************************
.
Completion time: 2008-02-19 22:16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 03:16:36
.
2008-02-13 08:02:58 --- E O F ---




Here's the
HIJACK THIS LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:03 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\internet explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HiJack THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gocatgo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fasoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll (file missing)
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Copper HiSpeed\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9708 bytes
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Please uninstall Spywarebot as it is a rouge security application.
SpywareBot exploits name "Spybot Search & Destroy"
====================================================
After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll (file missing)


Now click on Fix Checked and then close Hijackthis.
======================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#5
Ace Brown

Ace Brown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Sorry for my stupidity but i can't seem to locate SpywareBot. According to the log it should be under Program Files\Spywarebot but i'm unable to locate that.
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Not stupidity it probably removed the Folder under Program Files\Spywarebot when you uninstalled it.
If you didn't uninstall it then it is probably just an old entry in the registry.
The important thing is that it is not there anymore. :)

You can go ahead with the next steps.
  • 0

#7
Ace Brown

Ace Brown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Ok, couldn't find spybot so i'm assuming it's long gone....or hoping :)

Here's the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 20, 2008 12:49:18 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/02/2008
Kaspersky Anti-Virus database records: 573443
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 90176
Number of viruses found: 15
Number of infected objects: 94
Number of suspicious objects: 2
Duration of the scan process: 01:26:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-19_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004156A3.tmp/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/UNNAMED/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/msg.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004156A3.tmp/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/UNNAMED/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/msg.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004156A3.tmp/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004156A3.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004156A3.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\041C51BF.tmp/[From adsl-66-142-239-70.dsl.kscymo.swbell.net [66.142.239.70]][Date Tue, 8 Aug 2006 14:04:27 -0700]/UNNAMED/[From [email protected]][Date Tue, 8 Aug 2006 16:04:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\041C51BF.tmp/[From adsl-66-142-239-70.dsl.kscymo.swbell.net [66.142.239.70]][Date Tue, 8 Aug 2006 14:04:27 -0700]/UNNAMED/[From [email protected]][Date Tue, 8 Aug 2006 16:04:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\041C51BF.tmp/[From adsl-66-142-239-70.dsl.kscymo.swbell.net [66.142.239.70]][Date Tue, 8 Aug 2006 14:04:27 -0700]/UNNAMED/[From [email protected]][Date Tue, 8 Aug 2006 16:04:53 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\041C51BF.tmp/[From adsl-66-142-239-70.dsl.kscymo.swbell.net [66.142.239.70]][Date Tue, 8 Aug 2006 14:04:27 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\041C51BF.tmp Mail: infected - 2, suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\041C51BF.tmp CryptFF: infected - 2, suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A905CA.tmp/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/UNNAMED/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/msg.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A905CA.tmp/[From [email protected]ox.com][Date Thu, 26 Oct 2006 20:03:44 -0400]/UNNAMED/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/msg.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A905CA.tmp/[From [email protected]][Date Thu, 26 Oct 2006 20:03:44 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A905CA.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A905CA.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CE04CE.tmp/[From [email protected]][Date Wed, 15 Nov 2006 09:26:40 -0500]/UNNAMED/[From [email protected]][Date Wed, 15 Nov 2006 09:26:40 -0500]/message.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CE04CE.tmp/[From [email protected]][Date Wed, 15 Nov 2006 09:26:40 -0500]/UNNAMED/[From [email protected]][Date Wed, 15 Nov 2006 09:26:40 -0500]/message.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CE04CE.tmp/[From [email protected]][Date Wed, 15 Nov 2006 09:26:40 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CE04CE.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CE04CE.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F7E6948.tmp/[From [email protected]][Date Tue, 31 Oct 2006 18:25:57 -0500]/UNNAMED/[From [email protected]][Date Tue, 31 Oct 2006 18:25:57 -0500]/details.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F7E6948.tmp/[From [email protected]][Date Tue, 31 Oct 2006 18:25:57 -0500]/UNNAMED/[From [email protected]][Date Tue, 31 Oct 2006 18:25:57 -0500]/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F7E6948.tmp/[From [email protected]][Date Tue, 31 Oct 2006 18:25:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F7E6948.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F7E6948.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53F7220A.tmp/[From [email protected]][Date Mon, 15 Jan 2007 19:46:47 -0500]/UNNAMED/[From [email protected]][Date Mon, 15 Jan 2007 19:46:47 -0500]/readme_ace.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53F7220A.tmp/[From [email protected]][Date Mon, 15 Jan 2007 19:46:47 -0500]/UNNAMED/[From [email protected]][Date Mon, 15 Jan 2007 19:46:47 -0500]/readme_ace.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53F7220A.tmp/[From [email protected]][Date Mon, 15 Jan 2007 19:46:47 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53F7220A.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53F7220A.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56952485.wmf Infected: Exploit.Win32.IMG-WMF.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CAA5D5E.tmp/[From [email protected]][Date Sat, 7 Oct 2006 15:08:40 -0400]/UNNAMED/[From [email protected]][Date Sat, 7 Oct 2006 15:08:40 -0400]/message.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CAA5D5E.tmp/[From [email protected]][Date Sat, 7 Oct 2006 15:08:40 -0400]/UNNAMED/[From [email protected]][Date Sat, 7 Oct 2006 15:08:40 -0400]/message.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CAA5D5E.tmp/[From [email protected]][Date Sat, 7 Oct 2006 15:08:40 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CAA5D5E.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CAA5D5E.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70C958DA.tmp/[From [email protected]][Date Wed, 18 Oct 2006 09:58:36 -0400]/UNNAMED/[From [email protected]][Date Wed, 18 Oct 2006 09:58:36 -0400]/abuses.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70C958DA.tmp/[From [email protected]][Date Wed, 18 Oct 2006 09:58:36 -0400]/UNNAMED/[From [email protected]][Date Wed, 18 Oct 2006 09:58:36 -0400]/abuses.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70C958DA.tmp/[From [email protected]][Date Wed, 18 Oct 2006 09:58:36 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70C958DA.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70C958DA.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7891644A.tmp/[From [email protected]][Date Sat, 21 Oct 2006 23:36:28 -0400]/UNNAMED/[From [email protected]][Date Sat, 21 Oct 2006 23:36:28 -0400]/info02.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7891644A.tmp/[From [email protected]][Date Sat, 21 Oct 2006 23:36:28 -0400]/UNNAMED/[From [email protected]][Date Sat, 21 Oct 2006 23:36:28 -0400]/info02.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7891644A.tmp/[From [email protected]][Date Sat, 21 Oct 2006 23:36:28 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7891644A.tmp Mail: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7891644A.tmp CryptFF: infected - 3 skipped
C:\Documents and Settings\Compaq_Owner\Application Data\MySpace\IM\Logs\MySpaceIM-20080219-221405.log Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\temp\~DF2337.tmp Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\temp\~DFE460.tmp Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFXDropper: infected - 2 skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.aeh skipped
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\qula.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Online Services\qadi89104.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.vir Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx18\nGpxx182328.exe.vir Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\oaqjuhib.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\p9\liopud89104.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\p9\liopud89104.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\puudqfdb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\catchme2008-02-19_221312.90.zip/jkhhg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-19_221312.90.zip/rqrpomk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-19_221312.90.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP580\A0073503.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.d skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075820.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075821.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075822.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075823.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075824.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075825.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075826.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075884.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP623\A0075885.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075897.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075900.exe Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075901.exe Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075902.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075903.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075904.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075905.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075906.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075906.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075908.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075912.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\A0075913.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\I386\APPS\APP01444\src\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP01444\src\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP01444\src\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\APPS\APP01444\src\CompaqPresario_Spring06.exe WiseSFXDropper: infected - 2 skipped
D:\I386\APPS\APP01444\src\HPPavillion_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP01444\src\HPPavillion_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP01444\src\HPPavillion_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\APPS\APP01444\src\HPPavillion_Spring06.exe WiseSFXDropper: infected - 2 skipped
D:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP624\change.log Object is locked skipped

Scan process completed.
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Looks good just a little left to go. :)

Please empty your Norton Quarantine.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\hp\bin\wbug\CompaqPresario_Spring06.exe
    D:\I386\APPS\APP01444\src\CompaqPresario_Spring06.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


ALso a new Hijackthis and let me know things are running ?
  • 0

#9
Ace Brown

Ace Brown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
A few months ago i removed Norton because of the annoyance of popup windows telling me that updates were available and my virus database was out of date. It is what came with the computer, it wasn't the full version anyhow and i didn't want to purchase Norton so i deleted it. Unless it is still lingering somehwere i didn't know about.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok go ahead with OT Moveit2 and we will remove nortn and we will get you another free anti virus.
Pos those logs and we will go from there. :)
  • 0

Advertisements


#11
Ace Brown

Ace Brown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Ok, i'll start the OT Move It in a bit, i'm in and out today. Should return in a couple hours. I do have AVG, but i'm sure there are some better programs. Thanks so far for all of your help :)
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
AVG is what I recommend it is fine.

For Norton go Here and download the removal tool then run it reboot and you should be rid of norton. :)

Post the OtMove it 2 log and a hijackthis log and we will finish it up. :)
  • 0

#13
Ace Brown

Ace Brown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
OT MoveIt Log:


C:\hp\bin\wbug\CompaqPresario_Spring06.exe moved successfully.
D:\I386\APPS\APP01444\src\CompaqPresario_Spring06.exe moved successfully.

OTMoveIt2 v1.0.20 log created on 02202008_135338



HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:05 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HiJack THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gocatgo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fasoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Copper HiSpeed\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8429 bytes
  • 0

#14
Ace Brown

Ace Brown

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Forgot to mention that since running ComboFix initally, everything started running just as normal. Any idea what the malware was called? I saw that quall.dll somewhere in the log and i had seen it in C:\ somewhere. Did that have something to do with it?
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I didn't see quall.dll anywhere in the logs.
But you have a combination of spyware.
Network Monitor,Vundo,and some worm files,etc..
==================================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Copper HiSpeed\components\NOWImaging.dll (file missing)



Now click on Fix Checked and then close Hijackthis.
======================================
After that I do not see any antivirus so
Download this anti-virus program and install it.
This is free.
AVG free
=========================================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will delete and do the following:

    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
==================================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP