Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

antispywareupdates.net Virus


  • Please log in to reply

#1
ssimones

ssimones

    New Member

  • Member
  • Pip
  • 1 posts
Hi all,
Thanks for helping.

Here's my problem.

1. Keep getting pop ups from antispywareupdates.net
2. Task manager locked
3. Fake Windows Secuirty Center popups
4. Hijacks to the antispyware website

This is what I've done to try and correct:

A. Ran Norton Scan
Ran PC tools Spyware Doctor scan several times.

B. Ran ATF Cleaner
Ran PC Tools again
Ran Hijack log
Ran uninstall list

C. Ran ComboFix
Ran ATF Cleaner
Ran Hijack log
Ran uninstall list

Still having same problems.
All logs included here.
/////////////////////////////////////////////////////////////////////////////////////////////////////////


B. Hijack Log before combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:09 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\BrowseBlast Web Accelerator\slipcore.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BrowseBlast Web Accelerator\slipgui.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {363f6f52-1dd2-11b2-b749-f0a230c42ede} - C:\WINDOWS\yxcjgpur.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\BrowseBlast Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [qtsbchip] regsvr32 /u "C:\Documents and Settings\All Users.WINDOWS\Application Data\qtsbchip.dll"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\slipgui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204493892218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202671316937
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: (no name) - http://attach.mud.ma...m...n&sort=date
O24 - Desktop Component 1: (no name) - http://us.i1.yimg.co...ime/shd_r_2.gif

--
End of file - 10092 bytes
///////////////////////////////////////////////////////////////////////////////////////////////////////


B. Uninstall List before combofix

Adobe Flash Player ActiveX
Adobe Reader 7.0.5
AppCore
AudibleManager
AV
Bonjour
Brother MFL Pro Suite
BrowseBlast Web Accelerator
ccCommon
CCScore
Creative MuVo V100
Creative System Information
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows XP (KB909394)
HSP56 MR Drivers
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
Lexmark Supplies Monitor
Lexmark Z23-Z33
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player 8
Mavis Beacon Teaches Typing 15
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office 97, Professional Edition
MSRedist
NFIRSv540
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Save and Restore
Notifier
OfotoXMI
OTtBP
OTtBPSDK
PaperPort 9.0
Personal Ancestral File 5
QuickBooks Pro 2005
QuickTime
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB926436)
SFR
SHASTA
Shockwave
SKIN0001
SKINXSDK
SPBBC 32bit
Spyware Doctor 5.5
staticcr
The Print Shop Photo Pro
TurboTax Home & Business 2006
TurboTax Home & Business 2007
TurboTax ItsDeductible 2006
Update for Windows XP (KB927891)
VPRINTOL
Wal-Mart Digital Photo Manager
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
WIRELESS

///////////////////////////////////////////////////////////////////




C. Combofix log

ComboFix 08-03-03.12 - Sandra 2008-03-03 11:50:32.1 - NTFSx86
Running from: C:\Documents and Settings\Sandra.SANDRA-903D118E\Desktop\Geeks to Go\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\qtsbchip.dll
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\FunWebProducts
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\plus32.ocx
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\yxcjgpur.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 11:58 . 2008-03-03 11:58 1,856 --a------ C:\WINDOWS\default.htm
2008-03-03 11:38 . 2008-03-03 11:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 08:59 . 2008-03-03 08:59 2,855 --a------ C:\WINDOWS\xxxvideo.PIF
2008-03-02 20:34 . 2008-03-03 09:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-02 20:34 . 2008-03-03 11:37 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2008-03-02 20:34 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-02 20:34 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-02 20:34 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-02 20:34 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-02 15:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-02 15:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-02 15:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-02 15:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-02 15:23 . 2008-03-02 15:23 <DIR> d-------- C:\Documents and Settings\Sandra.SANDRA-903D118E\Application Data\PC Tools
2008-03-02 14:51 . 2008-03-02 14:51 2,855 --a------ C:\WINDOWS\hotporn.PIF
2008-03-02 08:15 . 2008-03-02 08:15 31,744 --a------ C:\WINDOWS\lshqtwpm.exe
2008-03-02 08:15 . 2008-03-02 08:15 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-02 08:14 . 2008-03-02 08:15 89,099 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-01 08:00 . 2008-03-01 08:00 <DIR> d-------- C:\Program Files\FamilySearch
2008-02-14 21:49 . 2008-02-14 21:50 <DIR> d-------- C:\Program Files\MFInstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 17:59 --------- d-----w C:\Program Files\p2pnetworks
2008-03-03 17:59 --------- d-----w C:\Program Files\amsys
2008-03-03 17:59 --------- d-----w C:\Program Files\akl
2008-03-03 17:59 --------- d-----w C:\Program Files\Accoona
2008-03-03 17:58 --------- d-----w C:\Program Files\3721
2008-03-03 17:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-03 17:29 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Symantec
2008-03-03 17:16 --------- d-----w C:\Documents and Settings\Sandra.SANDRA-903D118E\Application Data\SlipStream
2008-03-02 19:44 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-02 19:44 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-02 19:44 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-02 19:44 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-02 19:44 --------- d-----w C:\Program Files\Symantec
2008-03-01 14:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 23:31 --------- d-----w C:\Documents and Settings\Sandra.SANDRA-903D118E\Application Data\Intuit
2008-02-18 21:51 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-18 21:42 --------- d-----w C:\Program Files\TurboTax
2008-01-21 00:36 --------- d-----w C:\Documents and Settings\Sandra.SANDRA-903D118E\Application Data\Wal-Mart Digital Photo Manager
2008-01-20 02:26 --------- d-----w C:\Program Files\NFIRSv54
2008-01-15 15:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 11:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 00:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2006-05-22 16:15 911,307 ----a-w C:\Documents and Settings\My Downloads\ftpsurfer107.exe
2006-05-18 19:51 388,008 ----a-w C:\Documents and Settings\My Downloads\Express Scribe.exe
2005-10-20 13:04 379,905 ----a-w C:\Documents and Settings\My Downloads\ipadsender.zip
2005-10-19 13:37 1,366,650 ----a-w C:\Documents and Settings\My Downloads\safelistdirectory.exe
2005-10-05 23:49 11,814,432 ----a-w C:\Documents and Settings\My Downloads\RealPlayer10-5GOLD_bb_3.exe
2005-10-05 19:38 1,988,480 ----a-w C:\Documents and Settings\My Downloads\RealPlayer10-5GOLD_bb_2.exe
2005-10-05 19:02 2,058,241 ----a-w C:\Documents and Settings\My Downloads\RealPlayer10-5GOLD_bb_1.exe
2005-10-05 18:33 1,380,320 ----a-w C:\Documents and Settings\My Downloads\RealPlayer10-5GOLD_bb.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-28 20:51 107112]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 19:22 26248]
"Norton Save and Restore"="C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe" [2006-03-03 20:36 1582744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-28 21:48 155648]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-05-06 06:40 900096]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 00:16 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 00:35 40960]
"SlipStream"="C:\Program Files\BrowseBlast Web Accelerator\slipcore.exe" [2007-01-12 13:34 253952]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BrowseBlast Web Accelerator.lnk - C:\Program Files\BrowseBlast Web Accelerator\slipgui.exe [2007-03-21 03:07:27 167936]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26 180224]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-01 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-01 51984]
Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-11-02 09:55:46 2392064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Norton Save and Restore;Norton Save and Restore;C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe [2006-03-03 20:36]
R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
R3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 13:12]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
R3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys [2005-11-07 03:50]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2005-08-17 21:44]

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 11:58:39
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\msole32.exe 26880 bytes
C:\WINDOWS\system32\ESHOPEE.exe 11520 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-03-03 12:00:39
ComboFix-quarantined-files.txt 2008-03-03 18:00:33
.
2008-03-03 16:05:24 --- E O F ---


///////////////////////////////////////////////////////////////////////////////////////////////////
C. Hijeckthis log after Combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:46 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\BrowseBlast Web Accelerator\slipcore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BrowseBlast Web Accelerator\slipgui.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\BrowseBlast Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\slipgui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204493892218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202671316937
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: (no name) - http://attach.mud.ma...m...n&sort=date
O24 - Desktop Component 1: (no name) - http://us.i1.yimg.co...ime/shd_r_2.gif

--
End of file - 8575 bytes


//////////////////////////////////////////////////////////////////////////////////////////////////

C. Uninstall list after combofix

Adobe Flash Player ActiveX
Adobe Reader 7.0.5
AppCore
AudibleManager
AV
Bonjour
Brother MFL Pro Suite
BrowseBlast Web Accelerator
ccCommon
CCScore
Creative MuVo V100
Creative System Information
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows XP (KB909394)
HSP56 MR Drivers
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
Lexmark Supplies Monitor
Lexmark Z23-Z33
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player 8
Mavis Beacon Teaches Typing 15
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office 97, Professional Edition
MSRedist
NFIRSv540
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Save and Restore
Notifier
OfotoXMI
OTtBP
OTtBPSDK
PaperPort 9.0
Personal Ancestral File 5
QuickBooks Pro 2005
QuickTime
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB926436)
SFR
SHASTA
Shockwave
SKIN0001
SKINXSDK
SPBBC 32bit
Spyware Doctor 5.5
staticcr
The Print Shop Photo Pro
TurboTax Home & Business 2006
TurboTax Home & Business 2007
TurboTax ItsDeductible 2006
Update for Windows XP (KB927891)
VPRINTOL
Wal-Mart Digital Photo Manager
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
WIRELESS
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP