Question regarding virus
I have been having a major problem with a virus the last ten days. I have always used Norton Anti-Virus and Internet Security, but was told by several people to try Ad-Aware and AVG.
So yesterday, I purchased Ad-Aware Plus and ran it. It found viruses and I was able to remove most of them.
It did find a Win32.TrojanDownloader.Agent also. I was unable to remove or quarantine it. It seems as if it is in Symantec's Shared Folder. Is this because it is in Norton's Quarantine area?
I still get an unbelievable amount of 'cookies' whenever I run the scan. Why am I still getting all these cookies from sites I do not go to?
Occasionally, I have music start all by itself. Is that my computer trying to log on to web sites with sound?
I have used Norton for over ten years and am really struggling to uninstall it and try something new (AVG). Any comments?
Sandy
-
I did make a screen shot with the info on, but pasted it into a Word document. Is there any way I can attach that file and send it to you? I tried uploading the file below, but got a message I was unable to upload that type of file.
In reading several of the posts from today, it sounds as if we are having a lot of the same problems.
Sandy
0 -
Hi Sandy,
You didn't need to buy Ad-Aware for it remove malware. The free version will remove detected malware as well as the paid version. The paid version simply has additional features to block malware from entering your system in the first place. However, keep in mind that some of today's malware can disable your security programs, so that may also be at play here.
That's a very difficult time to be switching AVs, I agree. Have already you uninstalled Norton?
Yes, please do attach your document and I'll take a look at it, or you can just copy and paste the info on it into a reply here.
Edit: I re-read your post and see that it is probably am image. You should be able to attach an image here to your reply as long as it is in .gif or .jpg format (it will also take .bmp but those are so large it may be difficult to upload)
I can help with some diagnostic tools and malware removal procedures to see if we can get back your PC into shape.
Let's start with this tool. It will give me a lot of diagnostic information about your system and possible malware hiding to give me a clue of what we are left dealing with and what tools we can proceed with of other steps for removal that may be needed.
This is a free tool and I really just need to see the log from it first
* Download Trend Micro Hijack Thisâ„¢
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
0 -
Hi,
This is a copy of the HijackThis logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:21 PM, on 3/16/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O2 - BHO: RDL Rolex - {C9101D88-5C46-4757-87FC-40CAA937F9F2} - C:\WINDOWS\drnpfdxfxv.dll (file missing)
O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: enlfxgw - {EAF43BEC-A979-470B-8EC0-9225C11CB213} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll (file missing)
O3 - Toolbar: etlrlws - {CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll
O21 - SSODL: btrklfr - {2D0C1281-D97C-4ED4-9E7E-B72DE2FEFB4B} - C:\WINDOWS\btrklfr.dll (file missing)
O21 - SSODL: MonSetup - {89da981f-b01a-4a92-ab98-c8026aa55815} - C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll
O21 - SSODL: bokpkov - {E9FB8075-6A1C-4B6B-A642-58997A26E3DB} - C:\WINDOWS\bokpkov.dll (file missing)
O21 - SSODL: altvxvm - {4CB6BFDF-00BA-4458-9320-1B8C5D7BD0D0} - C:\WINDOWS\altvxvm.dll (file missing)
O21 - SSODL: zip - {76df3b7b-becf-4781-9760-5f62e5901545} - C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg
O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg
O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg
--
End of file - 12368 bytes
0 -
Two lines in the log file grabbed my attention.
O3 - Toolbar: enlfxgw - {EAF43BEC-A979-470B-8EC0-9225C11CB213} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll (file missing)
O3 - Toolbar: etlrlws - {CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll (file missing)
Two new toolbars have appeared in IE the last week. enlfxgw and etlrlws
I am a two on the one to ten scale of what I know about computers so be patient.
Sandy
0 -
Yes, well, those have already been fixed. It is what is behind them that we need to get at. Just sit back and let me do the driving because I do know what I'm doing here and what I'm looking at. "Leave the driving to us"
We have a combo of problems, a malware cocktail at the moment so I will ask your patience in these next steps because Hijackthis just gives me a snapshot of A) your operating system and specifications which lets me know which tools I can grab and B ) what possible malware we might be dealing with and c) other stuff I don't have the time to explain, but I can help you with this. This isn't going to be a quick and easy one but we will get you resolved, I promise.
We only use free tools here by the way. Two steps next to follow. It may not solve everything but should make a serious dent in the malware and will give me some valuable info in the logs they produce in what steps may be needed after that.
Download ComboFix and save it to your desktop.
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
.................
This one will do a complete system scan and tell me if any system files are infected (plus some other valuable log info)
* Go here to run an online scannner from ESET.
-
Note: You will need to use Internet explorer for this scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Click Start
- Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
0 - When finished, it will produce a report for you.
-
Here is the ComboFix Log file:
ComboFix 08-03-14.4 - Sandy 2008-03-16 23:08:22.2 - NTFSx86
Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 28672 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\kmd.exe
C:\WINDOWS\file896.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
----- BITS: Possible infected sites -----
hxxp://flycodecs.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_FCI
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.
2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp
2008-03-04 09:40 . 2008-03-04 09:40 48 --a------ C:\amp.bat
2008-03-04 09:37 . 2008-03-04 09:37 12,288 -r-h----- C:\WINDOWS\system32\syst0bv.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-17 03:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-15 17:00 --------- d-----w C:\Program Files\Google
2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db
2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken
2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!
2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert
2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec
2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT
2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9101D88-5C46-4757-87FC-40CAA937F9F2}]
C:\WINDOWS\drnpfdxfxv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F104576A-91BA-40AD-91DE-2C20801339AB}]
2004-06-02 07:12 1343488 --a------ C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EAF43BEC-A979-470B-8EC0-9225C11CB213}"= "C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll" [ ]
"{CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4}"= "C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll" [ ]
[HKEY_CLASSES_ROOT\clsid\{eaf43bec-a979-470b-8ec0-9225c11cb213}]
[HKEY_CLASSES_ROOT\enlfxgw.1]
[HKEY_CLASSES_ROOT\TypeLib\{979218FD-1E10-4F3A-AB90-98F77F50C7C2}]
[HKEY_CLASSES_ROOT\enlfxgw]
[HKEY_CLASSES_ROOT\clsid\{ce98234d-64c9-42be-80b9-5d9ec9e1e0a4}]
[HKEY_CLASSES_ROOT\etlrlws.1]
[HKEY_CLASSES_ROOT\TypeLib\{D8767936-8CDB-42B7-95D3-FFBBB0CFF278}]
[HKEY_CLASSES_ROOT\etlrlws]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-18 10:36 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"btrklfr"= {2D0C1281-D97C-4ED4-9E7E-B72DE2FEFB4B} - C:\WINDOWS\btrklfr.dll [ ]
"MonSetup"= {89da981f-b01a-4a92-ab98-c8026aa55815} - C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll [2008-03-12 15:28 18674]
"bokpkov"= {E9FB8075-6A1C-4B6B-A642-58997A26E3DB} - C:\WINDOWS\bokpkov.dll [ ]
"altvxvm"= {4CB6BFDF-00BA-4458-9320-1B8C5D7BD0D0} - C:\WINDOWS\altvxvm.dll [ ]
"zip"= {76df3b7b-becf-4781-9760-5f62e5901545} - C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll [2008-03-12 15:28 23250]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\win_3u.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]
C:\WINDOWS\twain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]
--a------ 2000-11-13 10:36 131072 C:\ImageMate CompactFlash USB\SandIcon.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []
S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:
"2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 23:18:59
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2600.0000]
-> C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll
-> C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-03-16 23:23:51 - machine was rebooted [sandy]
ComboFix-quarantined-files.txt 2008-03-17 05:23:41
ComboFix2.txt 2008-03-06 03:43:46
.
2008-03-15 08:55:48 --- E O F ---
Here is the new HijackThis Log file (and I am goning online to do the ESET scan now):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:01 PM, on 3/16/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O2 - BHO: RDL Rolex - {C9101D88-5C46-4757-87FC-40CAA937F9F2} - C:\WINDOWS\drnpfdxfxv.dll (file missing)
O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: enlfxgw - {EAF43BEC-A979-470B-8EC0-9225C11CB213} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll (file missing)
O3 - Toolbar: etlrlws - {CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll
O21 - SSODL: btrklfr - {2D0C1281-D97C-4ED4-9E7E-B72DE2FEFB4B} - C:\WINDOWS\btrklfr.dll (file missing)
O21 - SSODL: MonSetup - {89da981f-b01a-4a92-ab98-c8026aa55815} - C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll
O21 - SSODL: bokpkov - {E9FB8075-6A1C-4B6B-A642-58997A26E3DB} - C:\WINDOWS\bokpkov.dll (file missing)
O21 - SSODL: altvxvm - {4CB6BFDF-00BA-4458-9320-1B8C5D7BD0D0} - C:\WINDOWS\altvxvm.dll (file missing)
O21 - SSODL: zip - {76df3b7b-becf-4781-9760-5f62e5901545} - C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg
O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg
O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg
--
End of file - 12874 bytes
0 -
Don't worry about being a Two on a scale of 1 to 10. We're quite used to that and tailor our responses and replies to accommodate those who fear complicated instructions, so we try to make them easy to follow. If you do have any problems understanding my steps, please feel free to let me know. We are all new to some things the first time and we understand how scarey this all may seem. We are also used to folks who are 2's on malware removal The 10's already know how to solve it and would not be here requesting help (they are usually the ones here helping you), so you are not alone
0 -
A few quick responses this morning.
I have not uninstalled Norton yet. I did download AVG, but haven't installed it yet.
I have uploaded the jpg file from the scan where I couldn't quarantine or remove the files.
During the night and this morning, there have been three instances where web pages opened on my pc and music started playing.
Sandy
That's a very difficult time to be switching AVs, I agree. Have already you uninstalled Norton?
Yes, please do attach your document and I'll take a look at it, or you can just copy and paste the info on it into a reply here.
Edit: I re-read your post and see that it is probably am image. You should be able to attach an image here to your reply as long as it is in .gif or .jpg format (it will also take .bmp but those are so large it may be difficult to upload)
0 -
Okay...I can't get this to work. It keeps shutting IE down.
Sandy
This one will do a complete system scan and tell me if any system files are infected (plus some other valuable log info)
* Go here to run an online scannner from ESET.
-
Note: You will need to use Internet explorer for this scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Click Start
- Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
0 -
-
This machine is really infected. One huge problem is that it is extremely vulnerable to exploit because you do not have any Critical security updates installed. How come no windows updates - no service packs?
Run this free tool next please:
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
0 - Restart your computer
-
My home page is now changing to other sites. This had not been happening for a few days. It was opening on about:blank.
Now it is opening on something I have never seen before.
0 -
No, can't update to SP2 right now while it's infected. You need a genuine copy of XP for it to update. I may be able to help with that but first....
When you purchased this machine did it come with the original install disk? Do you have that?
0 -
i purchased this computer from a friend and i have never been able to get the update to run correctly. I don't want to update to Vista, but would purchase XP, but where do you recommend i log on to? MS website has it for $149. Is there someplace less expensive?
Should i go ahead and get XP SP2 on this machine or run the tool first that you just recommended?
Sandy
This machine is really infected. One huge problem is that it is extremely vulnerable to exploit because you do not have any Critical security updates installed. How come no windows updates - no service packs?
Run this free tool next please:
0 -
Shall I go ahead with SDFix?
0 -
No...sorry...
When you purchased this machine did it come with the original install disk? Do you have that?
0 -
Well, the trojan I suspect I see in those logs is a nasty one and SDFix may be able to remove it but I can't make any guarantees you might not lose windows and with no install disk and no recovery console installed on there it is a risk. But since you are going to need to get genuine windows on there, you may just want to think about a reformat and reinstall. Are you capable of doing that? I'm not sure the exact nature of the trojan on there but it does smell like a remote access trojan (the SDbot family, hence the name of fix tool "SDFix") . Some have been known to make removal difficult and make a pc unbootable or otherwise inoperable during the removal process. It is rare but it does happen.
How long have you had the machine and is there any sensitive info of yours on it?
0 -
I am sure you can tell this is an older machine. It has always been a very solid reliable machine until the last maybe ten days. I have always had Norton running on my computers, but several people have told me Ad-Aware and AVG combined are just as good. I have been impressed with the support staff (you) at Lavasoft.
Sensitive info...yes.
What next, great master?
0 -
I have went ahead with SDFix. Here is the report, followed by a new HiJackThis log file. Thanks.
Sandy
SDFix: Version 1.158
Run by Sandy on Mon 03/17/2008 at 07:13 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\SYSTEM32\SIRENA~1.DLL - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 19:25:20
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 30 Jan 2002 24,448 A.SHR --- "C:\NTBOOTDD.SYS"
Tue 4 Mar 2008 12,288 ...HR --- "C:\WINDOWS\system32\syst0bv.exe"
Fri 27 Jul 2007 39,936 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0001.tmp"
Thu 28 Jun 2007 43,520 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0003.tmp"
Sat 2 Jun 2007 45,568 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0871.tmp"
Thu 21 Jun 2007 37,888 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0975.tmp"
Sat 2 Jun 2007 39,936 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL1555.tmp"
Thu 19 Apr 2007 26,624 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL1826.tmp"
Wed 12 Mar 2008 23,250 ..SHR --- "C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll"
Wed 12 Mar 2008 18,674 ..SHR --- "C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll"
Fri 28 May 2004 0 ...H. --- "C:\Documents and Settings\Sandy\Application Data\Microsoft\Word\~WRL4025.tmp"
Wed 21 Nov 2007 7,798 A..H. --- "C:\Documents and Settings\Sandy\Application Data\Microsoft\Office\Shortcut Bar\Off32.tmp"
Finished!
---------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:25 PM, on 3/17/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg
O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg
O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg
--
End of file - 11074 bytes
0 -
Ok, glad that went ok, but I still see some problems. Could you give me another run with Combofix and fresh log from it please?
0 -
Here is the new log file from ComboFix.
Thanks,
Sandy
ComboFix 08-03-14.4 - Sandy 2008-03-17 20:18:54.4 - NTFSx86
Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-17 19:10 . 2008-03-17 19:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-17 19:05 . 2008-03-17 19:31 <DIR> d-------- C:\SDFix
2008-03-16 23:32 . 2008-03-16 23:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp
2008-03-04 09:40 . 2008-03-04 09:40 48 --a------ C:\amp.bat
2008-03-04 09:37 . 2008-03-04 09:37 12,288 -r-h----- C:\WINDOWS\system32\syst0bv.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-17 22:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-17 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 17:00 --------- d-----w C:\Program Files\Google
2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db
2008-03-12 21:19 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken
2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!
2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert
2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec
2008-02-11 15:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 15:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 19:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 14:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT
2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H
.
((((((((((((((((((((((((((((( snapshot@2008-03-16_23.23.09.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-18 01:11:06 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-18 01:11:06 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-18 01:10:55 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-03-18 01:10:55 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\LastGood\System32\LegitCheckControl.DLL
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\LastGood\System32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\LastGood\System32\lnod32upd.dll
+ 2008-02-11 15:39:26 253,952 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLA.dll
+ 2008-02-11 15:39:18 237,568 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLW.dll
+ 2008-02-08 19:53:46 110,592 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerLang.dll
+ 2008-02-05 14:48:04 77,824 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerUninstaller.exe
- 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
- 2008-03-17 05:17:27 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-18 02:19:39 163,840 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F104576A-91BA-40AD-91DE-2C20801339AB}]
2004-06-02 07:12 1343488 --a------ C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\win_3u.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]
C:\WINDOWS\twain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]
C:\ImageMate CompactFlash USB\SandIcon.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []
S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:
"2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 20:22:36
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-17 20:23:59
ComboFix-quarantined-files.txt 2008-03-18 02:23:55
ComboFix2.txt 2008-03-17 21:29:47
ComboFix3.txt 2008-03-17 05:23:52
ComboFix4.txt 2008-03-06 03:43:46
.
2008-03-15 08:55:48 --- E O F ---
0 -
I'm going to try to help you get the malware off of here but I smell a rootkit possibly and am going to call in a consult on how proceed with the fix - I do need that Combofix report for that which will give us the current state after running those other tools. I now see you have posted that so let me call in the calvary and see if we can proceed. (might be morning before I can get someone in here to look at it with me)
But then we have the problem of an unpatched XP machine and one that has possibly been compromised. (consider that your sensitive data MAY have been stolen by an intruder once we get it clean it would be a good idea to change all passwords and monitor any accounts you have, bank, credit card, email account, anything).
For the unpatched machine, I can get you a genuine boxed version of XP with SP2 sent to you from Microsoft as a gift from me. I don't know if you can just reinstall that and you may have to check with the manufacturer of the machine on if that is possible or what it would cost to get some disks from them. A trusted local repair shop might be needed if you are not real savvy with computers.
If you haven't backed up any important data on your PC that you want to keep, start doing that and keep this machine off the net as much as possible. If you have access to another clean computer you can use to check for new messages here, then do that.
Oh, and I'm not the support team. Technical support for Lavasoft products is here:
http://www.lavasoft.com/support/supportcenter/
But this isn't a problem with the Ad-Aware program so they can't really help with malware removal. I do that here on my own free time because helping with malware removal is what I do for fun and enjoyment of helping others. My official duties here are Forum Administrator (helping provide these forums for free users and others who wish to discuss Lavasoft products and share information) and I also am a malware consultant.
I don't usually advise people to switch AV products as all the top rated best ones are all about the same. And all can miss an infection, especially a new variant of whatever is going around and your unpatched machine is sure susceptible to that. If you have a good current version of Symantec (something current as in 2007 or 2008) then that should be good enough, especially if you are comfortable with it. Ad-Aware is a nice extra program to have for spyware protection as that is our specialty. IF you have a very old version of Norton (like 2003 or 2004) that is very old and obsolete and I would advise to get then AVG as if this machine is older, the more current versions of Symantec might really slow it down and hurt performance. Malware has changed over the years and nowdays you really need a current up to date version of Antivirus.
So even if we can get this clean and working and you happy with good current security programs, an unpatched machine is very likely to just get infected again right away.
0 -
Keep the Norton on there for now. 2007 is current version and I see no need to complicate matters trying to uninstall that and learn a new AV as it is not much advantage to doing that. The biggest problem with the security on this PC is the unpatched vulnerabilities - we'll tackle that problem next. This may be a valid windows you have installed and it just needs updating, but we can't do that while it's infected. Please don't go surfing anywhere on it other than to check for instructions here for the time being.
I have set of steps here to fix, thanks to the assistance and second opinion of one of our malware removal experts here in the forums. Thanks to Miekiemoes!
1, Make a copy of these instructions to have handy or print them out. You'll need to do these steps with all browsers closed and best to disconnect from the internet during this fix (so you won't be able to view the steps from here).
2. CLose all programs and any open windows or browsers and open HijackThis. Choose to do a *system scan only*
3. When it finishes, place a checkmark next to the following entries in the list:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll
Once you have the listed entries checkmarked, press the *Fix checked* button in HijackThis and then you can close it and proceed to the next step 4.
4. * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text you see in bold below into notepad:
File::
C:\Program Files\Internet Explorer\mokeogmv.exe
C:\WINDOWS\system32\syst0bv.exe
C:\amp.bat
C:\WINDOWS\System32\win_3u.dll
C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
Folder::
C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}
C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F104576A-91BA-40AD-91DE-2C20801339AB}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
Save this notepad file as CFScript.txt, in the same location as ComboFix.exe (your desktop)
Refering to the picture above, drag CFScript.txt and drop into ComboFix.exe
This will start ComboFix again.
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
* Combofix.txt
* A new HijackThis log
...............
6. There are two files I need for you to check to see if they are infected, so I need you to do the following for a single file virus scan on them.
Go here:
Use the browse button to navigate to the following file:
C:\WINDOWS\LMIE7.tmp
A separate box should popup to allow you to browse to the file in that location (C:\Windows) When you see LMIE7.tmp, click on it to highlight it and hit the *open* button. You should now see that file in the browse box there at Virustotal. Hit *send file* and wait while it scans your file. It will give you a report at the end when it finishes. Please copy that report and paste into your reply back here.
Now do the same with file:
C:\WINDOWS\LMI108D.tmp
0 -
I am getting ready to go offline. I will check here in the am sometime.
A lot to think about...I have Norton 2007, with one month to go before I have to update to 2008. I am thinking it is time to get something new. I have loved this pc and never had any problems, but it is getting old (like me)!
Will check for a post from you tomorrow.
Bye for now.
Sandy
0 -
I am now to this point. LMIE7 and LMI108D are folders. Do you want me to run each file inside the folder through the virustotal scan? These are folders created when Norton's tech help worked on my machine. On March 5th, they got the computer back to working correctly. On the 13th, I think they gave up.
Sandy
6. There are two files I need for you to check to see if they are infected, so I need you to do the following for a single file virus scan on them.
Go here:
Use the browse button to navigate to the following file:
C:\WINDOWS\LMIE7.tmp
A separate box should popup to allow you to browse to the file in that location (C:\Windows) When you see LMIE7.tmp, click on it to highlight it and hit the *open* button. You should now see that file in the browse box there at Virustotal. Hit *send file* and wait while it scans your file. It will give you a report at the end when it finishes. Please copy that report and paste into your reply back here.
Now do the same with file:
C:\WINDOWS\LMI108D.tmp
0 -
Here is the new ComboFix log file followed by the new HijackThis log file:
ComboFix 08-03-14.4 - Sandy 2008-03-18 11:18:29.5 - NTFSx86
Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sandy\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}
C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll
C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}
C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-17 19:10 . 2008-03-17 19:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-17 19:05 . 2008-03-17 19:31 <DIR> d-------- C:\SDFix
2008-03-16 23:32 . 2008-03-16 23:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp
2008-03-04 09:40 . 2008-03-04 09:40 48 --a------ C:\amp.bat
2008-03-04 09:37 . 2008-03-04 09:37 12,288 -r-h----- C:\WINDOWS\system32\syst0bv.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-18 14:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-17 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 17:00 --------- d-----w C:\Program Files\Google
2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db
2008-03-12 21:19 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken
2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!
2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert
2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec
2008-02-11 15:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 15:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 19:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 14:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT
2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H
.
((((((((((((((((((((((((((((( snapshot@2008-03-16_23.23.09.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-18 01:11:06 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-18 01:11:06 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-18 01:10:55 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-03-18 01:10:55 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\LastGood\System32\LegitCheckControl.DLL
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\LastGood\System32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\LastGood\System32\lnod32upd.dll
+ 2008-02-11 15:39:26 253,952 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLA.dll
+ 2008-02-11 15:39:18 237,568 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLW.dll
+ 2008-02-08 19:53:46 110,592 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerLang.dll
+ 2008-02-05 14:48:04 77,824 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerUninstaller.exe
- 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2008-03-18 07:41:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat
- 2008-03-17 05:17:27 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-18 17:15:16 360,448 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\win_3u.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]
C:\WINDOWS\twain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]
C:\ImageMate CompactFlash USB\SandIcon.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []
S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:
"2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 11:23:38
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-18 11:24:58
ComboFix-quarantined-files.txt 2008-03-18 17:24:48
ComboFix2.txt 2008-03-17 21:29:47
ComboFix3.txt 2008-03-17 05:23:52
ComboFix4.txt 2008-03-06 03:43:46
.
2008-03-15 08:55:48 --- E O F ---
______________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:35 AM, on 3/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg
O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg
O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg
--
End of file - 10019 bytes
0 -
You know, I have to compliment you on following the instructions I've been giving. You do really well. It's looking better but I still see some issues there (not sure if I'm reading the logs right so I'll check with Mieke once more to get her opinion).
On those temp directories in question. If Norton created them, I'm not too worried about them, they were simply mystery files.
I would like to do this next please because I do want examine the files that the last Combofix run quarantined some files and I want to see what is there.
Go to this folder:
C:\QooBox\Quarantine
rightclick on it. Choose "send to compressed (zipped) folder" and that will make a zip file
in the same location, i.e.;
C:\QooBox\Quarantine.zip
Please go here to upload a suspicious file for analysis.
* Enter your username from this forum as: nedustbu at LS
* Copy and paste the link to this thread: http://www.lavasoftsupport.com/index.php?showtopic=17040
* Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\QooBox\Quarantine.zip
* In the comments, please mention that I asked you to upload this file
* Click on Send File
I'll get it and report to you back here
.................
Meanwhile, I see signs of a really ancient infection that I haven't seen a long, long time, so I want to run this tool on it to see what the results are (this is a free tool from Trend Micro)
Go here:
http://us.trendmicro.com/us/products/perso...dder/index.html
Click the *Remove Coolwebsearch* button.
That should prompt a download of a file. Save it to your desktop.
Then double click CWShredder.exe to run it
The icon to click on will look like this:
You will get a screen like this. Checkmark the box that says: "Move CWS files found to the recycle bin instead of deleting them"
Then press the *Fix* button to the far right and that will run the tool.
It should make a log at the end. Could you please copy and paste the results back here please?
0 -
Ack, hope I'm not to late to catch you.
I meant to ask if you had Ad-watch turned off (and you should probably temporarily turn off Symantec also) during these runs. Ad-Watch especially as it might interfere with the fixes we are trying to make.
0 -
This is the results from CWShredder. Let me know if this is what you are looking for.
Sandy
__________________________________________
**** Run Keys ****
**** Browser Helper Objects ****
BHO: [Adobe PDF Reader Link Helper] C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
BHO: [Adobe PDF Reader Link Helper] C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
BHO: [sSVHelper Class] C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
BHO: [sT] C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar1.dll
BHO: [MSNToolBandBHO] C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
**** IE Toolbars ****
TOOLBAR: [MSN] C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
TOOLBAR: [&Google] c:\program files\google\googletoolbar1.dll
**** IE Extensions ****
IEExt: [Web Browser Applet Control] C:\WINDOWS\System32\msjava.dll
IEExt: [@shdoclc.dll,-866] C:\WINDOWS\System32\msjava.dll
IEExt: [Messenger] C:\Program Files\Messenger\MSMSGS.EXE
**** Hosts File Entries ****
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost
**** IE Settings ****
Default Page: http://go.microsoft.com/fwlink/?LinkId=69157
Default Search: http://go.microsoft.com/fwlink/?LinkId=54896
**** IE Context Menu (Right click) ****
IEContext: [E&xport to Microsoft Excel] res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
**** Layered Service Providers ****
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [uDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A698E84-917B-470D-AACE-A4B53C78DB6A}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A698E84-917B-470D-AACE-A4B53C78DB6A}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A027DA03-4B42-4F4F-843F-FD4BCAFA15E4}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A027DA03-4B42-4F4F-843F-FD4BCAFA15E4}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D014E927-8DBC-421C-B0EB-EC50EE78E4AE}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D014E927-8DBC-421C-B0EB-EC50EE78E4AE}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5DA86DA3-6BB3-4D41-BC68-2CFE26FD9543}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5DA86DA3-6BB3-4D41-BC68-2CFE26FD9543}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08269CD8-8B7B-4349-862F-3A9592824C53}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08269CD8-8B7B-4349-862F-3A9592824C53}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF277F47-711D-4A29-AB82-BEAE7774B133}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF277F47-711D-4A29-AB82-BEAE7774B133}] DATAGRAM 5
**** Blocked Control Panel Items ****
BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
**** Downloaded Program Files ****
Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{02BCC737-B171-4746-94C9-0D8A0B2C0089} [http://office.microsoft.com/templates/ieawsdc.cab] C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
{0335A685-ED24-4F7B-A08E-3BD15D84E668} [http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab]
{10E0E75E-6701-4134-9D95-C0942ED1F1C8} [http://www.snapfish.com/SnapfishOutlookImport.cab]
{166B1BCA-3F9C-11CF-8075-444553540000} [http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw_promo.cab]
{17492023-C23A-453E-A040-C7C580BBF700} [http://go.microsoft.com/fwlink/?linkid=39204]
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} [http://www.symantec.com/techsupp/asa/LSSupCtl.cab]
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} [http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab] C:\WINDOWS\Downloaded Program Files\navapi.vxd C:\WINDOWS\Downloaded Program Files\navapi32.dll C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll C:\WINDOWS\Downloaded Program Files\avsniff.dll
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} [C:\Program Files\Yahoo!\Common\yinsthelper.dll]
{406B5949-7190-4245-91A9-30A17DE16AD0} [http://www.snapfish.com/SnapfishActivia.cab]
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} [http://www.eset.eu/buxus/docs/OnlineScanner.cab] C:\WINDOWS\System32\unicows.dll C:\WINDOWS\System32\lnod32umc.dll C:\WINDOWS\System32\lnod32upd.dll C:\WINDOWS\System32\lnod32apiW.dll C:\WINDOWS\System32\lnod32apiA.dll C:\WINDOWS\System32\OnlineScannerDLLW.dll C:\WINDOWS\System32\OnlineScannerDLLA.dll C:\WINDOWS\System32\OnlineScanner.ocx
{60EFC337-15C2-4369-B2A0-3429B071D8B8} [http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB]
{6414512B-B978-451D-A0D8-FCFDF33E833C} [http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108410660308]
{644E432F-49D3-41A1-8DD5-E099162EEEC5} [http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab]
{6A344D34-5231-452A-8A57-D064AC9B7862} [https://webdl.symantec.com/activex/symdlmgr.cab]
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152998967447]
{6F750200-1362-4815-A476-88533DE61D0C} [http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab]
{7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} [http://www.shockwave.com/content/luxor/mjolauncher.cab]
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab]
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab]
{9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38103.3629050926]
{A8658086-E6AC-4957-BC8E-8D54A7E8A790} [http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB]
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} [http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab]
{B8BE5E93-A60C-4D26-A2DC-220313175592} [http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab]
{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab]
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab]
{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab]
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab]
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab]
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab]
{CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]
{CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]
{CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]
{CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]
{CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]
**** Windows Services ****
[aawservice] "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[Ati HotKey Poller] %SystemRoot%\System32\Ati2evxx.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[Automatic LiveUpdate Scheduler] "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
[bITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
[ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
[cisvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[CLTNetCnService] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon
[comHost] "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe"
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[gusvc] "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[iDriverT] "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"
[imapiService] C:\WINDOWS\System32\imapi.exe
[iPod Service] C:\Program Files\iPod\bin\iPodService.exe
[iSPwdSvc] "C:\Program Files\Norton Internet Security\isPwdSvc.exe"
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LiveUpdate] "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
[LiveUpdate Notice Ex] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
[LiveUpdate Notice Service] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[MDM] "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] %systemroot%\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[Pml Driver HPZ12] %SystemRoot%\System32\svchost.exe -k HPZ12
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[samSs] %SystemRoot%\system32\lsass.exe
[sCardDrv] %SystemRoot%\System32\SCardSvr.exe
[sCardSvr] %SystemRoot%\System32\SCardSvr.exe
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[sENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[sharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[shellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[sSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[swPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{F3934BDD-7FC3-4230-9F32-9E0E3E4F3148}
[symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
[symAppCore] "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
[sysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\System32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uMWdf] C:\WINDOWS\System32\wdfmgr.exe
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[uPS] %SystemRoot%\System32\ups.exe
[usnjsvc] "C:\Program Files\MSN Messenger\usnsvc.exe"
[Viewpoint Manager Service] "C:\Program Files\Viewpoint\Common\ViewpointService.exe"
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
**** Custom IE Search Items ****
SEARCH: [searchAssistant] http://www.google.com/ie
SEARCH: [searchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SEARCH: [Default_Search_URL] http://www.google.com/ie
**** Complete IE Options ****
IEOPT: [Default_Page_URL] http://go.microsoft.com/fwlink/?LinkId=69157
IEOPT: [Default_Search_URL] http://go.microsoft.com/fwlink/?LinkId=54896
IEOPT: [search Page] http://go.microsoft.com/fwlink/?LinkId=54896
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [start Page] http://www.msn.com/
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [FullScreen] no
IEOPT: [use_DlgBox_Colors] yes
IEOPT: [use Search Asst] no
0 -
I just checked back here and found this post. No I didn't have Ad-watch turned off. Let me know if you want me to run the fixes again with both Ad-watch and Symantec off.
Sandy
I meant to ask if you had Ad-watch turned off (and you should probably temporarily turn off Symantec also) during these runs. Ad-Watch especially as it might interfere with the fixes we are trying to make.
0 -
Hereis the new ComboFix.txt, followed by a new HijackThis log.
ComboFix 08-03-14.4 - Sandy 2008-03-18 13:40:37.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.154 [GMT -6:00]
Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sandy\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\amp.bat
C:\Program Files\Internet Explorer\mokeogmv.exe
C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
C:\WINDOWS\system32\syst0bv.exe
C:\WINDOWS\System32\win_3u.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\amp.bat
C:\WINDOWS\Downloaded Program Files\ieplugin001.dll
C:\WINDOWS\system32\syst0bv.exe
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-17 19:10 . 2008-03-17 19:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-17 19:05 . 2008-03-17 19:31 <DIR> d-------- C:\SDFix
2008-03-16 23:32 . 2008-03-16 23:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-18 17:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-17 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 17:00 --------- d-----w C:\Program Files\Google
2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db
2008-03-12 21:19 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken
2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!
2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert
2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec
2008-02-11 15:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 15:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 19:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 14:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT
2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H
.
((((((((((((((((((((((((((((( snapshot@2008-03-16_23.23.09.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-18 01:11:06 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-18 01:11:06 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-18 01:10:55 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-03-18 01:10:55 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\LastGood\System32\LegitCheckControl.DLL
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\LastGood\System32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\LastGood\System32\lnod32upd.dll
+ 2008-02-11 15:39:26 253,952 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLA.dll
+ 2008-02-11 15:39:18 237,568 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLW.dll
+ 2008-02-08 19:53:46 110,592 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerLang.dll
+ 2008-02-05 14:48:04 77,824 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerUninstaller.exe
- 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2008-03-18 07:41:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat
- 2008-03-17 05:17:27 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-18 19:31:31 458,752 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]
C:\WINDOWS\twain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]
C:\ImageMate CompactFlash USB\SandIcon.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []
S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:
"2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 13:43:33
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-18 13:44:30
ComboFix-quarantined-files.txt 2008-03-18 19:44:21
ComboFix2.txt 2008-03-18 17:24:59
ComboFix3.txt 2008-03-17 21:29:47
ComboFix4.txt 2008-03-17 05:23:52
ComboFix5.txt 2008-03-06 03:43:46
.
2008-03-15 08:55:48 --- E O F ---
--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:42 PM, on 3/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg
O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg
O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg
--
End of file - 9960 bytes
-------------------------------------------------------------
0
Please sign in to leave a comment.
Comments
47 comments