Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VIRUS ALERT! near clock [RESOLVED]


  • This topic is locked This topic is locked

#1
SteveC71

SteveC71

    New Member

  • Member
  • Pip
  • 8 posts
Hi There,

I have some malware/spyware on my PC which shows a flashing shield near the clock saying I have suspected spyware on the PC.

I also have VIRUS ALERT! next to the time.

Here is the HJT log from the Machine. Any help would be greatly appreciated. Many Thanks SteveC71

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:22, on 26/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\ACT\act.exe
C:\Program Files\ACT\act.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
O2 - BHO: QXK Olive - {18405E86-B211-4B83-B143-3BDF4D813ECB} - C:\WINDOWS\ksendlbtknb.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: 441465 helper - {D311C486-7D5F-4D73-B791-EE56C47D3B2E} - C:\WINDOWS\system32\441465\441465.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: vrmdtneg - {51F6BB5B-9DEF-42C6-B28D-85138B300431} - C:\WINDOWS\vrmdtneg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PSBO Clean] C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe /clean
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorer...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorer...om/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advancedmeet...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = bridgehousesolutions.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: chicot - {c27abdde-8a43-4a7f-81c0-3fc3c952284f} - C:\WINDOWS\system32\sgntu.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8569 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
SteveC71

SteveC71

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for your help. Here is the Combo Fix log

ComboFix 08-06-20.4 - Administrator 2008-06-27 10:10:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.168 [GMT 1:00]
Running from: J:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpyCheck 2.1.lnk
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Desktop\Error Cleaner.url
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Desktop\Privacy Protector.url
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Favorites\Error Cleaner.url
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Favorites\Privacy Protector.url
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Start Menu\AntiSpyCheck 2.1.lnk
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Start Menu\Programs\AntiSpyCheck 2.1
C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Start Menu\Programs\AntiSpyCheck 2.1\AntiSpyCheck 2.1.lnk
C:\Program Files\AntiSpyCheck 2.1
C:\WINDOWS\ekvs.exe
C:\WINDOWS\ksendlbtknb.dll
C:\WINDOWS\system32\441465
C:\WINDOWS\system32\441465\441465.dll
C:\WINDOWS\vrmdtneg.dll
C:\WINDOWS\wpvmqosg.dll
C:\WINDOWS\xvorfwbd.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-26 12:37 . 2008-06-26 12:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 11:57 . 2008-06-26 11:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Interact Commerce
2008-06-26 11:25 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-26 11:23 . 2008-06-26 11:23 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-26 11:20 . 2008-06-26 11:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-26 11:14 . 2008-06-26 11:14 <DIR> dr-h----- C:\MSOCache
2008-06-26 10:13 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-25 11:57 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-25 11:57 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-24 17:02 . 2008-06-24 17:02 15 --a------ C:\WINDOWS\DatabaseID
2008-06-23 11:28 . 2008-06-23 11:28 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-23 11:28 . 2008-06-24 11:52 <DIR> d-------- C:\Program Files\Norton 360
2008-06-23 11:26 . 2008-06-23 11:31 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-23 11:26 . 2008-06-23 11:31 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-23 11:26 . 2008-06-23 11:31 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-23 11:26 . 2008-06-23 11:31 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-23 10:44 . 2008-06-23 13:10 <DIR> d-------- C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Application Data\Symantec
2008-06-23 09:08 . 2008-06-23 09:08 <DIR> d-------- C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Application Data\TmpRecentIcons
2008-06-21 16:15 . 2008-06-23 11:05 <DIR> d-------- C:\Program Files\LabelCommand
2008-06-21 15:05 . 2008-06-16 17:18 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-06-21 15:01 . 2008-06-25 18:18 <DIR> d-------- C:\Program Files\VAV
2008-06-21 15:01 . 2008-06-16 17:18 3,262 --a------ C:\WINDOWS\system32\sex1.ico
2008-06-21 15:00 . 2008-06-25 18:18 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-06-21 14:56 . 2008-06-21 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 14:56 . 2008-06-21 10:55 81,920 --a------ C:\WINDOWS\neltabxw.exe
2008-06-21 14:29 . 2008-06-21 14:29 <DIR> d-------- C:\Program Files\Platte
2008-06-21 14:20 . 2008-06-23 11:00 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 14:19 . 2008-06-23 11:05 <DIR> d-------- C:\Program Files\Web Technologies
2008-06-11 14:43 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 09:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-26 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-26 11:27 --------- d-----w C:\Program Files\ACT
2008-06-26 10:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-26 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-25 08:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-23 10:31 --------- d-----w C:\Program Files\Symantec
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-16 08:49 25,168 ----a-w C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Application Data\GDIPFONTCACHEV1.DAT
2004-10-25 13:16 19,552 ----a-w C:\Documents and Settings\bridgehouse3\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-06-17 14:23 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-23 11:29 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51F6BB5B-9DEF-42C6-B28D-85138B300431}"= "C:\WINDOWS\vrmdtneg.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{51f6bb5b-9def-42c6-b28d-85138b300431}]
[HKEY_CLASSES_ROOT\vrmdtneg.1]
[HKEY_CLASSES_ROOT\TypeLib\{0BE9671C-BF0E-40CA-BA75-344F9F041C32}]
[HKEY_CLASSES_ROOT\vrmdtneg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19 303104]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 17:06 32768]
"PSBO Clean"="C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe" [2005-04-19 14:39 716800]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-13 11:42 1836544]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-14 14:15 180269]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 11:19 378784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 20:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 15:50 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-02-16 15:24:19 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{c27abdde-8a43-4a7f-81c0-3fc3c952284f}"= C:\WINDOWS\system32\sgntu.dll [2008-06-20 17:25 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 08:39]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 10:15:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-27 10:20:13
ComboFix-quarantined-files.txt 2008-06-27 09:20:04

Pre-Run: 66,760,294,400 bytes free
Post-Run: 67,011,366,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

154 --- E O F --- 2008-06-20 16:25:41


I then had to restart the machine as I had no icons or task bar (sorry if i have done something wrong, but I could not run Hijack this until I restarted.


Here is the new HJT log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:30, on 27/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: vrmdtneg - {51F6BB5B-9DEF-42C6-B28D-85138B300431} - C:\WINDOWS\vrmdtneg.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PSBO Clean] C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe /clean
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advancedmeet...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = bridgehousesolutions.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: chicot - {c27abdde-8a43-4a7f-81c0-3fc3c952284f} - C:\WINDOWS\system32\sgntu.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7847 bytes


Best regards,

SteveC71
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\sgntu.dll
C:\WINDOWS\neltabxw.exe
C:\WINDOWS\system32\sex1.ico
Folder::
C:\Program Files\PCHealthCenter
C:\Program Files\VAV
C:\Program Files\LabelCommand
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51F6BB5B-9DEF-42C6-B28D-85138B300431}"=-
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=-
[-HKEY_CLASSES_ROOT\clsid\{51f6bb5b-9def-42c6-b28d-85138b300431}]
[-HKEY_CLASSES_ROOT\vrmdtneg.1]
[-HKEY_CLASSES_ROOT\TypeLib\{0BE9671C-BF0E-40CA-BA75-344F9F041C32}]
[-HKEY_CLASSES_ROOT\vrmdtneg]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{c27abdde-8a43-4a7f-81c0-3fc3c952284f}"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#5
SteveC71

SteveC71

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the new Combo Fix log and the new HJT log.

ComboFix 08-06-20.4 - Administrator 2008-06-27 10:54:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.170 [GMT 1:00]
Running from: J:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\neltabxw.exe
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sgntu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\LabelCommand
C:\Program Files\LabelCommand\uninstall.dat
C:\Program Files\LabelCommand\Uninstall.exe
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\WINDOWS\neltabxw.exe
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sgntu.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-26 12:37 . 2008-06-26 12:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 11:57 . 2008-06-26 11:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Interact Commerce
2008-06-26 11:25 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-26 11:23 . 2008-06-26 11:23 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-26 11:20 . 2008-06-26 11:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-26 11:14 . 2008-06-26 11:14 <DIR> dr-h----- C:\MSOCache
2008-06-26 10:13 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-25 11:57 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-25 11:57 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-24 17:02 . 2008-06-24 17:02 15 --a------ C:\WINDOWS\DatabaseID
2008-06-23 11:28 . 2008-06-23 11:28 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-23 11:28 . 2008-06-24 11:52 <DIR> d-------- C:\Program Files\Norton 360
2008-06-23 11:26 . 2008-06-23 11:31 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-23 11:26 . 2008-06-23 11:31 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-23 11:26 . 2008-06-23 11:31 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-23 11:26 . 2008-06-23 11:31 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-23 10:44 . 2008-06-23 13:10 <DIR> d-------- C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Application Data\Symantec
2008-06-23 09:08 . 2008-06-23 09:08 <DIR> d-------- C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Application Data\TmpRecentIcons
2008-06-21 15:05 . 2008-06-16 17:18 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-06-21 14:56 . 2008-06-21 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 14:29 . 2008-06-21 14:29 <DIR> d-------- C:\Program Files\Platte
2008-06-21 14:20 . 2008-06-23 11:00 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 14:19 . 2008-06-23 11:05 <DIR> d-------- C:\Program Files\Web Technologies
2008-06-11 14:43 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 09:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-26 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-26 11:27 --------- d-----w C:\Program Files\ACT
2008-06-26 10:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-26 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-25 08:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-23 10:31 --------- d-----w C:\Program Files\Symantec
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-16 08:49 25,168 ----a-w C:\Documents and Settings\bridgehouse3.BRIDGEHOUSESOLU.000\Application Data\GDIPFONTCACHEV1.DAT
2004-10-25 13:16 19,552 ----a-w C:\Documents and Settings\bridgehouse3\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_10.19.35.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-27 08:48:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 09:58:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 09:58:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_658.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-06-17 14:23 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-23 11:29 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19 303104]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 17:06 32768]
"PSBO Clean"="C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe" [2005-04-19 14:39 716800]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-13 11:42 1836544]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-14 14:15 180269]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 11:19 378784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 20:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 15:50 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-02-16 15:24:19 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 08:39]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 10:59:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
.
**************************************************************************
.
Completion time: 2008-06-27 11:04:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 10:04:38
ComboFix2.txt 2008-06-27 09:20:14

Pre-Run: 67,374,944,256 bytes free
Post-Run: 67,364,749,312 bytes free

151 --- E O F --- 2008-06-20 16:25:41











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:01, on 27/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PSBO Clean] C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe /clean
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advancedmeet...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = bridgehousesolutions.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7514 bytes



Best regards,

Steve.
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I see I forgot to add this file in the script for removal:

C:\WINDOWS\system32\sex2.ico

So navigate to the C:\WINDOWS\system32 folder and delete the sex2.ico file in there. It's just an icon.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against next entry:

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#7
SteveC71

SteveC71

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi miekiemoes,

Well that seems to have done the job, I now no loger have the VIRUS ALERT! next to the clock and the annoying flashing shield has gone too, thank you so much for your help.

I did have the same problem on another computer but I did a system restore back to the 9th June. Only problem is that I dont have any network connection after the restore. Could that be something to do with the spyware?

Best regards,

Steve.
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Good to hear everything is Ok again.

For the other computer... I cannot tell you if the loss of Internet Connection was caused by malware. After all, you restored it to a previous restore point, so I don't know what happened on that day (9th june) and what caused the loss of your internet.
It may be a good idea to post a Hijackthislog from that computer as well. Transfer the log via flashdrive/thumbdrive/cd whatever to this computer.
  • 0

#9
SteveC71

SteveC71

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi

Ok, heres the other machines HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:49, on 27/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe
C:\Program Files\IM\IM.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Zango\bin\10.3.37.0\Weather.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Network -p \\Server01\hp1150laser -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PSBO Clean] C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe /clean
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [IM] C:\Program Files\IM\IMLauncher.exe /boot:1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.37.0\Weather.exe" -auto
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [A00F20B460.exe] C:\DOCUME~1\BRIDGE~1\LOCALS~1\Temp\_A00F20B460.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2888796584-3929048135-1500475866-1148\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2888796584-3929048135-1500475866-500\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=21871
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supportcente...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = bridgehousesolutions.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 10369 bytes


Thanks again for your help.

Best regards,

Steve.
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Well, this computer is still infected as well though...

First of all, uninstall Zango and ShopperReports via software > add & remove programs.
Then reboot.
After reboot, download combofix and the Recovery console installer (that applies for above computer) to your clean computer and transfer it to the infected one.
Then install the Recovery Console there with Combofix and post the Combofix log in your next reply.
  • 0

Advertisements


#11
SteveC71

SteveC71

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Here are the Combo fix and HJT logs

ComboFix 08-06-20.4 - Bridgehouse1 2008-06-27 14:06:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.672 [GMT 1:00]
Running from: C:\Documents and Settings\bridgehouse1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bridgehouse1\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\__c00D6B46.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ssBIkUvw.ini
C:\WINDOWS\system32\ssBIkUvw.ini2
C:\WINDOWS\system32\vtUOIBSl.dll
C:\WINDOWS\system32\wvUkIBss.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_runtime


((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-27 13:24 . 2008-06-27 13:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 16:19 . 2008-06-24 16:19 <DIR> d-------- C:\Program Files\XP TCPIP Repair
2008-06-24 13:03 . 2008-06-24 13:03 <DIR> d-------- C:\Program Files\SiSLan
2008-06-24 12:05 . 2008-06-24 12:05 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-24 12:03 . 2008-06-24 12:05 <DIR> d-------- C:\Program Files\Symantec
2008-06-24 12:03 . 2008-06-24 12:03 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-24 12:03 . 2008-06-24 12:06 <DIR> d-------- C:\Documents and Settings\bridgehouse1\Application Data\Symantec
2008-06-24 12:03 . 2008-06-24 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-23 17:04 . 2008-06-23 17:04 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-23 17:03 . 2008-06-24 12:03 <DIR> d-------- C:\Program Files\Norton 360
2008-06-23 16:58 . 2008-06-24 12:03 <DIR> d-------- C:\Program Files\Symantec(2)
2008-06-23 16:58 . 2008-06-24 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec(2)
2008-06-23 15:58 . 2008-06-24 12:03 <DIR> d-------- C:\Documents and Settings\bridgehouse1\Application Data\Symantec(2)
2008-06-23 14:21 . 2007-01-10 03:47 624,784 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-06-17 09:58 . 2008-06-24 12:06 <DIR> d-------- C:\Program Files\VAV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 11:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-24 11:05 --------- d-----w C:\Program Files\ACT
2008-06-04 12:57 --------- d-----w C:\Documents and Settings\bridgehouse1\Application Data\AdobeUM
2008-05-21 11:13 --------- d-----w C:\Program Files\MSECache
2008-05-21 08:08 --------- d-----w C:\Program Files\Sun
2008-05-21 08:08 --------- d-----w C:\Program Files\Java
2008-05-21 08:06 --------- d-----w C:\Program Files\Common Files\Java
2006-01-03 12:59 34,384 ----a-w C:\Documents and Settings\bridgehouse1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-12-01 05:21 4687352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2004-12-15 16:14 40960]
"pdfSaver3"="C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 18:20 380928]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 11:29 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2002-05-09 03:19 303104]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 17:06 32768]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28 155648]
"HPLJ Config"="C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe" [2003-03-31 18:32 28672]
"pdfSaver3"="" []
"MMReminderService"="C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe" [2005-09-13 03:02 28672]
"PSBO Clean"="C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe" [2005-04-19 14:39 716800]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2006-06-18 14:56 712704]
"IM"="C:\Program Files\IM\IMLauncher.exe" [2006-05-24 19:40 598016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-07 12:52 282624]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 08:11 771704]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 06:00 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 06:00 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 14:18 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-09-12 19:27 492912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00D6B46]
C:\WINDOWS\system32\__c00D6B46.dat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"C:\\Program Files\\IM\\IM.exe"=

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 08:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92de734f-2302-11db-aaa8-000b6af5f912}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 14:15:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\IM\IM.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-06-27 14:22:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 13:22:16

Pre-Run: 67,815,870,464 bytes free
Post-Run: 68,166,987,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

140 --- E O F --- 2008-05-20 08:38:11




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:22, on 2008-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\IM\IM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\CF9084.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Network -p \\Server01\hp1150laser -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PSBO Clean] C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe /clean
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [IM] C:\Program Files\IM\IMLauncher.exe /boot:1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=21871
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supportcente...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = bridgehousesolutions.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bridgehousesolutions.co.uk
O20 - Winlogon Notify: __c00D6B46 - C:\WINDOWS\system32\__c00D6B46.dat (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 10367 bytes


Thank you.

Steve.
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Navigate to and delete the following folder:

C:\Program Files\VAV

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O20 - Winlogon Notify: __c00D6B46 - C:\WINDOWS\system32\__c00D6B46.dat (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know if the Internet connection issue is resolved as well. If not, restart this computer in Windows Safe mode WITH networking support and test if it works there. The reason I am asking is because you have Norton Internet Security installed which may cause this issue after all. Seen it in too many cases already.
  • 0

#13
SteveC71

SteveC71

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

I have gone through all the steps you said and hopefully I have a clean machine now.

Unfortunately though it didnt resolve the internet connection. We have a small network with a DHCP and DNS server.

The settings look ok on the machine against the LAN connection under Ipconfig, so I am wondering whether it could be the norton problem you spoke about. Is there anything I could try, otherwise may consider rebuilding the machine at some point.

Best regards,

Steve.
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Uninstall Norton Internet Security and reboot afterwards. Let me know if that solved your internet connection issue.
  • 0

#15
SteveC71

SteveC71

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi miekiemoes,

You are brilliant! That worked and I now have network and internet connection. If you were in England I would buy you a beer to say thank you!

I cant tell you how happy I am with your assistance, Thank you so much.

Have a great weekend.

Best regards,

Steve.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP