Infected With Virtumonde, Spywarebot, Smitfraud.c, Possibly Others

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected With Virtumonde, Spywarebot, Smitfraud.c, Possibly Others, Haven't been able to remove with adaware and spybot S&D

Options

nbneedshelp View Member Profile	Aug 12 2008, 08:53 PM Post #1
New Member Group: Members Posts: 7 Joined: 12-August 08 Member No.: 229,371	I have tried both adaware and spybot S&D. They find different problems, but neither is able to delete any of the infections they deem serious. Have tried running spybot in safe mode too, doesn't seem to work better. It keeps saying it might be able to delete after reboot, but I have let it reboot and try again many times without success. However, since running spybot and adaware, I no longer am getting random popup windows (while not surfing the internet) and the Smitfraud popup wallpaper that I had before. Is there still a problem (I assume yes), and if so, what can I do? Any help you can provide would be greatly appreciated!!! My current HijackThis Log is as follows: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:51:46 PM, on 8/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\BigFix\BigFix.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [BMb7a60052] Rundll32.exe "C:\WINDOWS\system32\tbtxerco.dll",s O4 - HKLM\..\Run: [b49533ce] rundll32.exe "C:\WINDOWS\system32\dteydgsb.dll",b O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://jport.uscourts.gov/dana-cached/setu...perSetupSP1.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8909 bytes

Rodav View Member Profile	Aug 13 2008, 05:07 PM Post #2
Senior Member Group: HJT Team Posts: 387 Joined: 21-March 08 Member No.: 197,856	Hello! and welcome to the Bleeping Computer forums. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations. As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice. I will be working on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. -------------------- MalWare Removal University Master

Rodav View Member Profile	Aug 14 2008, 05:30 AM Post #3
Senior Member Group: HJT Team Posts: 387 Joined: 21-March 08 Member No.: 197,856	Step 1: Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled. First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol) If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless. If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D Click Mode, choose Advanced Mode Go To the bottom of the Vertical Panel on the Left, Click Tools then, also in left panel, click Resident shows a red/white shield. If your firewall raises a question, say OK In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active OK any prompts. Use File, Exit to terminate Spybot Reboot your machine for the changes to take effect. Don't forget to re-enable it, when your computer is clean. Step 2: We will begin with ComboFix.exe, which can be downloaded from one of the following links. Link 1 Link 2 Link 3 Please visit this webpage for instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. This is very important, if you do not know how to please refer to this topic: http://www.bleepingcomputer.com/forums/topic114351.html Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt Step 3: HijackThis should not be run directly from your desktop, create a new folder on your desktop and call it HJT, then right-click HijackThis.exe and select rename, change the name to Rodav.exe then copy and paste Rodav.exe to the HJT folder you just created. Then do a system scan and in your next reply please post: The ComboFix report (C:\ComboFix.txt) The new HijackThis (rodav.exe) log -------------------- MalWare Removal University Master

nbneedshelp View Member Profile	Aug 14 2008, 09:10 PM Post #4
New Member Group: Members Posts: 7 Joined: 12-August 08 Member No.: 229,371	Thank you very much for the help. I'll do these steps, and post the results as soon as I can. That may be sometime tomorrow. I also wanted to let you know that Adaware has found malware I didn't note before: win32.rootkit agent. Also, while I've been online downloading combofix and these instructions (and since turning off tea timer) the popups have started again. Are those causing more problems or is it safe enough for now just to close and ignore them? Thanks again for the help! It is truly appreciated!!!!!!

nbneedshelp View Member Profile	Aug 14 2008, 10:18 PM Post #5
New Member Group: Members Posts: 7 Joined: 12-August 08 Member No.: 229,371	As far as I can tell, both HJT (renamed rodav) and Combofix ran successfully. Norton antivirus (which I long ago uninstalled and hadn't heard anything from in months) popped up after combofix rebooted and objected to combofix, but after I authorized it to allow combofix to run, combofix seemed to finish. Is that a problem? Again, thank you so much for the help!!!! The log files are as follows: Combofix: ComboFix 08-08-14.02 - Owner 2008-08-14 22:43:56.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.220 [GMT -4:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\JER276KT\interclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\JER276KT\interclick.com\ud.sol C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Owner\cookies\owner@adtrgt[3].txt C:\Documents and Settings\Owner\cookies\owner@antispywaremaster[1].txt C:\Documents and Settings\Owner\cookies\owner@ehg-verizon.hitbox[2].txt C:\Documents and Settings\Owner\cookies\owner@tracking.dsmmadvantage[1].txt C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\BMb7a60052.txt C:\WINDOWS\BMb7a60052.xml C:\WINDOWS\cookies.ini C:\WINDOWS\IA C:\WINDOWS\pskt.ini C:\WINDOWS\system32\atrwooda.ini C:\WINDOWS\system32\bsgdyetd.ini C:\WINDOWS\system32\bwzgnz.dll C:\WINDOWS\system32\cljilgpf.dll C:\WINDOWS\system32\dllcache\npptools.dll C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\fdcc.sys C:\WINDOWS\system32\eaqsfegc.dll C:\WINDOWS\system32\eNpAayay.ini C:\WINDOWS\system32\eNpAayay.ini2 C:\WINDOWS\system32\facfrtam.dll C:\WINDOWS\system32\fccywuSI.dll C:\WINDOWS\system32\fkndhcel.dll C:\WINDOWS\system32\fxcueeos.exe C:\WINDOWS\system32\gfkyrhgf.ini C:\WINDOWS\system32\ilhdzx.dll C:\WINDOWS\system32\jbkhdkfq.dll C:\WINDOWS\system32\kbpkkcms.ini C:\WINDOWS\system32\kuexuckr.exe C:\WINDOWS\system32\llbyryye.exe C:\WINDOWS\system32\matrfcaf.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\njdtud.dll C:\WINDOWS\system32\nlufwr.dll C:\WINDOWS\system32\npptools.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\ppmohdxl.exe C:\WINDOWS\system32\qysywz.dll C:\WINDOWS\system32\tbtxerco.dll C:\WINDOWS\system32\uqkmkfdc.dll C:\WINDOWS\system32\vbabxqxx.dll C:\WINDOWS\system32\ynwgjgbn.dll D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_FDCC -------\Legacy_NETWORK_MONITOR -------\Service_fdcc ((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 ))))))))))))))))))))))))))))))) . 2008-08-11 19:32 . 2008-08-11 21:25 209 --a------ C:\WINDOWS\wininit.ini 2008-08-11 18:39 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator.NATEANDRACHEL\WINDOWS 2008-08-11 18:39 . 2005-03-22 04:01 <DIR> d-------- C:\Documents and Settings\Administrator.NATEANDRACHEL\Application Data\SampleView 2008-08-11 18:39 . 2008-08-11 18:39 <DIR> d-------- C:\Documents and Settings\Administrator.NATEANDRACHEL 2008-08-11 18:24 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl 2008-08-11 18:01 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2008-08-11 17:57 . 2008-08-11 17:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-08-11 17:57 . 2008-08-11 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-08-11 17:55 . 2008-08-11 17:55 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-11 07:41 . 2008-08-11 07:41 312,320 --a------ C:\WINDOWS\system32\yayaApNe.dll 2008-08-11 07:36 . 2008-08-11 10:48 <DIR> d-------- C:\WINDOWS\system32\tp 2008-08-11 07:36 . 2008-08-11 07:36 <DIR> d-------- C:\WINDOWS\system32\kBin19 2008-08-11 07:36 . 2008-08-11 10:48 <DIR> d-------- C:\WINDOWS\system32\gps 2008-08-11 07:36 . 2008-08-11 10:48 <DIR> d-------- C:\WINDOWS\system32\fx 2008-08-11 07:36 . 2008-08-11 07:36 <DIR> d-------- C:\temp\epr1 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-15 02:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-08-11 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-11 11:59 --------- d-----w C:\Program Files\Lavasoft 2008-08-11 11:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-21 17:15 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-21 17:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2005-09-11 03:26 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4687D5BD-4EC6-4731-B6C6-F8AE032C2224}] 2008-08-11 07:41 312320 --a------ C:\WINDOWS\system32\yayaApNe.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-22 09:22 68856] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:50 155648] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 13:47 98394] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 13:47 688218] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-17 20:20 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-17 20:20 126976] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42 32768] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-22 03:55 98304] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2004-10-02 20:34 184320] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 15:00 53760 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2005-03-22 03:57:07 1742384] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-11-17 05:00 86016] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP::Disabled:EarthLink UHP Modem Support R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-10-03 13:48] S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [] . Contents of the 'Scheduled Tasks' folder 2008-08-09 C:\WINDOWS\Tasks\McAfee AntiSpyware.job - C:\PROGRA~1\McAfee\MCAFEE~1\McSpy.exe [2004-11-17 05:00] 2008-08-09 C:\WINDOWS\Tasks\McAfee AntiSpyware.job - C:\PROGRA~1\McAfee\MCAFEE~1 [2005-03-22 03:58] 2008-08-15 C:\WINDOWS\Tasks\McAfee.com Update Check (NATEANDRACHEL-Owner).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [2004-10-02 20:34] 2008-08-15 C:\WINDOWS\Tasks\McAfee.com Update Check (NATEANDRACHEL-Owner).job - C:\PROGRA~1\mcafee.com\agent [2006-12-13 20:38] 2008-08-15 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe [2004-10-02 20:34] 2008-08-15 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job - c:\PROGRA~1\mcafee.com\agent [2006-12-13 20:38] 2008-08-15 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-9C091494DD-Owner).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [2004-10-02 20:34] 2008-08-15 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-9C091494DD-Owner).job - C:\PROGRA~1\mcafee.com\agent [2006-12-13 20:38] 2008-08-09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe [2005-01-10 12:20] 2006-12-17 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24] . - - - - ORPHANS REMOVED - - - - HKLM-Run-b49533ce - C:\WINDOWS\system32\facfrtam.dll HKLM-Run-BMb7a60052 - C:\WINDOWS\system32\ynwgjgbn.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2oi6ld2t.default\ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava11.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava12.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava13.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava14.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava32.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJPI142.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPOJI610.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPUploader.dll FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll *********************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-14 22:53:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe . ************************************************************************ . Completion time: 2008-08-14 23:10:28 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2008-08-15 03:10:24 Pre-Run: 56,716,349,440 bytes free Post-Run: 56,665,882,624 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 215 --- E O F --- 2008-07-12 21:16:02 Hijack This (Rodav): Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:13:41 PM, on 8/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BigFix\BigFix.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Owner\Desktop\HJT\rodav.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: (no name) - {C387F0CE-11F9-4644-9149-BA2776CD3AE7} - C:\WINDOWS\system32\yayaApNe.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://jport.uscourts.gov/dana-cached/setu...perSetupSP1.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8883 bytes

nbneedshelp View Member Profile	Aug 14 2008, 10:21 PM Post #6
New Member Group: Members Posts: 7 Joined: 12-August 08 Member No.: 229,371	P.S. I haven't seen any of the popups I was seeing before I ran combofix -- so I hope that's a sign of progress! Before, I was using mozilla to post to this site (without IE open) and IE kept popping open with strange popups, mostlly advertising antivirus software (presumably malicious?) Anyway, thanks!!!!! nb

Rodav View Member Profile	Aug 15 2008, 11:45 AM Post #7
Senior Member Group: HJT Team Posts: 387 Joined: 21-March 08 Member No.: 197,856	You're doing a good job, but there's still more work to do. Norton is definitely installed and is running. I'm presuming you no longer have a current subscription for it, if so you can run the Norton Removal Tool: http://service1.symantec.com/Support/tsgen...005033108162039 which should uninstall it completely. Then immediately download and install one of these free for personal use antivirus; AntiVir or Avast. Again make sure all your protection programs are disabled before doing Step 1. Step 1: 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: CODE File:: C:\WINDOWS\system32\yayaApNe.dll Folder:: C:\WINDOWS\system32\tp C:\WINDOWS\system32\kBin19 C:\WINDOWS\system32\gps C:\WINDOWS\system32\fx C:\temp Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4687D5BD-4EC6-4731-B6C6-F8AE032C2224}] Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Step 2: Open HijackThis. Look under System tools. Click on the Open Uninstall Manager... button. Click on the Save list... button. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt. Notepad will open. Please copy and paste the contents of this log in your next reply. Step 3: Run HijackThis (Rodav.exe), do a system scan and post the following into your next reply: The combofix results (C:\ComboFix.txt) The Uninstall list A new HijackThis log -------------------- MalWare Removal University Master

nbneedshelp View Member Profile	Aug 15 2008, 07:43 PM Post #8
New Member Group: Members Posts: 7 Joined: 12-August 08 Member No.: 229,371	I uninstalled Norton, and downloaded Avast. I didn't install it until after running Combofix. How do I disable Avast before the next combofix run? Thank you again very much for the assistance!!!! Here are the logs: Combofix: ComboFix 08-08-14.02 - Owner 2008-08-15 20:22:00.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.293 [GMT -4:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt FILE :: C:\WINDOWS\system32\yayaApNe.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\temp C:\temp\epr1\K19i.log C:\WINDOWS\system32\eNpAayay.ini C:\WINDOWS\system32\eNpAayay.ini2 C:\WINDOWS\system32\fx C:\WINDOWS\system32\gps C:\WINDOWS\system32\kBin19 C:\WINDOWS\system32\kBin19\kBin191065.exe C:\WINDOWS\system32\tp C:\WINDOWS\system32\yayaApNe.dll . ((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 ))))))))))))))))))))))))))))))) . 2008-08-11 19:32 . 2008-08-11 21:25 209 --a------ C:\WINDOWS\wininit.ini 2008-08-11 18:39 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator.NATEANDRACHEL\WINDOWS 2008-08-11 18:39 . 2005-03-22 04:01 <DIR> d-------- C:\Documents and Settings\Administrator.NATEANDRACHEL\Application Data\SampleView 2008-08-11 18:39 . 2008-08-11 18:39 <DIR> d-------- C:\Documents and Settings\Administrator.NATEANDRACHEL 2008-08-11 18:24 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl 2008-08-11 18:01 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2008-08-11 17:57 . 2008-08-11 17:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-08-11 17:57 . 2008-08-11 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-08-11 17:55 . 2008-08-11 17:55 <DIR> d-------- C:\Program Files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-16 00:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-08-11 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-11 11:59 --------- d-----w C:\Program Files\Lavasoft 2008-08-11 11:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-21 17:15 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-21 17:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2005-09-11 03:26 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-22 09:22 68856] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:50 155648] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 13:47 98394] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 13:47 688218] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-17 20:20 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-17 20:20 126976] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42 32768] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-22 03:55 98304] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2004-10-02 20:34 184320] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 15:00 53760 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2005-03-22 03:57:07 1742384] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-11-17 05:00 86016] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP::Disabled:EarthLink UHP Modem Support R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-10-03 13:48] S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [] . Contents of the 'Scheduled Tasks' folder 2008-08-09 C:\WINDOWS\Tasks\McAfee AntiSpyware.job - C:\PROGRA~1\McAfee\MCAFEE~1\McSpy.exe [2004-11-17 05:00] 2008-08-09 C:\WINDOWS\Tasks\McAfee AntiSpyware.job - C:\PROGRA~1\McAfee\MCAFEE~1 [2005-03-22 03:58] 2008-08-16 C:\WINDOWS\Tasks\McAfee.com Update Check (NATEANDRACHEL-Owner).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [2004-10-02 20:34] 2008-08-16 C:\WINDOWS\Tasks\McAfee.com Update Check (NATEANDRACHEL-Owner).job - C:\PROGRA~1\mcafee.com\agent [2006-12-13 20:38] 2008-08-16 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe [2004-10-02 20:34] 2008-08-16 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job - c:\PROGRA~1\mcafee.com\agent [2006-12-13 20:38] 2008-08-16 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-9C091494DD-Owner).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [2004-10-02 20:34] 2008-08-16 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-9C091494DD-Owner).job - C:\PROGRA~1\mcafee.com\agent [2006-12-13 20:38] . *********************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-15 20:30:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe . ********************************************************************** . Completion time: 2008-08-15 20:34:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-16 00:34:00 ComboFix2.txt 2008-08-15 03:10:29 Pre-Run: 56,973,582,336 bytes free Post-Run: 56,982,622,208 bytes free 133 --- E O F --- 2008-07-12 21:16:02 Uninstall List: Ad-Aware Adobe Flash Player 9 ActiveX Adobe Flash Player Plugin Adobe Reader 7.1.0 Age of Empires III Age of Empires III Trial AOL Instant Messenger (SM) AOL Toolbar AOL You've Got Pictures Screensaver AVG Anti-Rootkit Free BigFix Comcast High-Speed Internet Install Wizard Conexant AC-Link 2 Channel Audio CutePDF Writer 2.6 Gateway Drivers and Applications Recovery Google Toolbar for Internet Explorer HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Intel® Extreme Graphics 2 Driver Java 2 Runtime Environment, SE v1.4.2 Juniper Networks Network Connect 5.5.0 Learn2 Player (Uninstall Only) LucasArts' Star Wars Rebellion McAfee AntiSpyware McAfee SecurityCenter Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Internationalized Domain Names Mitigation APIs Microsoft Money 2005 Microsoft National Language Support Downlevel APIs Microsoft Office Standard Edition 2003 Microsoft Picture It! Premium 10 Microsoft Works Mozilla Firefox (3.0.1) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) Nero BurnRights Nero OEM Pdf995 PdfEdit995 Picasa 2 PowerDVD QuickTime RealPlayer Basic Savings Bond Wizard Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928090) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB929969) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933566) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937143) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB939653) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB942615) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Security Update for Windows XP (KB950749) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Shutterfly Plugin Sid Meier's Railroad Tycoon Soft Data Fax Modem with SmartCP Spybot - Search & Destroy Synaptics Pointing Device Driver TaxCut Basic 2006 Texas Instruments PCIxx21/x515 drivers. Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB932823-v3) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB942840) Viewpoint Media Player Windows Backup Utility Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893086 HijackThis (Rodav)** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:37:59 PM, on 8/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BigFix\BigFix.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Owner\Desktop\HJT\rodav.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://jport.uscourts.gov/dana-cached/setu...perSetupSP1.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- End of file - 6599 bytes

Rodav View Member Profile	Aug 16 2008, 06:53 AM Post #9
Senior Member Group: HJT Team Posts: 387 Joined: 21-March 08 Member No.: 197,856	You can disable avast by doing the following: Right click on the avast! icon in system tray (looks like this: ) and choose (Stop On-Access Protection) However we won't be running combofix for the moment at least. Step 1: Old versions of Java have vulnerabilities that malware can exploit. Click Start Go to Control Panel Go to Add/Remove Programs Find and click Remove for the following (if present): Java 2 Runtime Environment, SE v1.4.2 If you would like the latest version of Java Runtime Environment(JRE) you can download it from here: http://java.sun.com/javase/downloads/index.jsp Step 2: Run Eset NOD32 Online AntiVirus http://www.eset.eu/online-scanner Note: You will need to use Internet Explorer for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock. Click Start Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked Click Scan Wait for the scan to finish Re-enable your Anvirisus software. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post. Step 3: Run HijackThis, do a system scan and post the following into your next reply: The online NOD32 scan results The new HijackThis log Also please let me know how your computer is running now. -------------------- MalWare Removal University Master

nbneedshelp View Member Profile	Aug 16 2008, 12:42 PM Post #10
New Member Group: Members Posts: 7 Joined: 12-August 08 Member No.: 229,371	Thank you again for the assistance! My computer seems to be running much better now. I haven't noticed any symptoms since I last mentioned that the popups had returned (a couple of days ago) and my internet access seems to be going much faster. I couldn't access email or several other sites (including google) when I first posted, but those work fine now too. I realize that a lack of symptoms doesn't mean everything is fixed though. I uninstalled the old Java and installed the new JRE, and ran Eset NOD32 and hijackthis (renamed). The log results are as follows: ESET: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3360 (20080815) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=3fe72ea799827d4491de23ff81b76b94 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-08-16 05:30:05 # local_time=2008-08-16 01:30:05 (-0500, Eastern Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=238035 # found=7 # scan_time=2097 C:\QooBox\Quarantine\C\WINDOWS\system32\fxcueeos.exe.vir Win32/Adware.Virtumonde application 134346ACD9DD7FA8305CC02D66B86D31 C:\QooBox\Quarantine\C\WINDOWS\system32\kuexuckr.exe.vir Win32/Adware.Virtumonde application 134346ACD9DD7FA8305CC02D66B86D31 C:\QooBox\Quarantine\C\WINDOWS\system32\llbyryye.exe.vir Win32/Adware.Virtumonde application 134346ACD9DD7FA8305CC02D66B86D31 C:\QooBox\Quarantine\C\WINDOWS\system32\ppmohdxl.exe.vir Win32/Adware.Virtumonde application 134346ACD9DD7FA8305CC02D66B86D31 C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\fdcc.sys.zip Win32/Rootkit.TniDrive.B trojan EA22989508B5C7C99CEFAF94613B2521 C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\fdcc.sys.zip »ZIP »fdcc.sys Win32/Rootkit.TniDrive.B trojan 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\system32\kBin19\kBin191065.exe.vir a variant of Win32/TrojanDownloader.VB.AW trojan E51D15336D1CC97236A6D479F8607521 HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:32:53 PM, on 8/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\BigFix\BigFix.exe C:\Documents and Settings\Owner\Desktop\HJT\rodav.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://jport.uscourts.gov/dana-cached/setu...perSetupSP1.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- End of file - 7143 bytes

Rodav View Member Profile	Aug 17 2008, 04:09 AM Post #11
Senior Member Group: HJT Team Posts: 387 Joined: 21-March 08 Member No.: 197,856	Things are looking a lot healthier now. Make sure Avast is installed and you have the protection enabled as we're almost finished. Step 1: Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. You can also delete any logs we have produced, and empty your Recycle bin. Your logs are now clean. If you still feel you are having any issues please let me know now, otherwise read through and proceed with the following: Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint. Below are some steps to follow in order to dramatically lower the chances of reinfection You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC Go here to check for & install updates to Microsoft applications Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install Keep your non-Microsoft applications updated as well Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month Make Internet Explorer more secure Click Start > Run Type Inetcpl.cpl & click OK Click on the Security tab Click Reset all zones to default level Make sure the Internet Zone is selected & Click Custom level In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Next Click OK, then Apply button and then OK to exit the Internet Properties page. Install a Hosts File I recommend MVPS Hosts File Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue Click Start > Run Type services.msc & click OK In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services window For a more detailed explanation of the HOSTS file, click here Install Malwarebytes & update and scan with it regularly Malwarebytes is a free for personal use on demand scanner which is developed by active members of the Malware Removal community. It detects and removes many modern infections. The paid version offers realtime protection. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download. The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE. If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk. Malware changes on a day to day basis. You should update every week at the very least. Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miekiem...prevention.html Please reply to this topic one more time so I know you have read through it or with any questions you may have. -------------------- MalWare Removal University Master

nbneedshelp View Member Profile	Aug 17 2008, 09:30 AM Post #12
New Member Group: Members Posts: 7 Joined: 12-August 08 Member No.: 229,371	Thank you very much for the help. I will go through these instructions later today. I wanted to let you know that I ran an Avast scan after I posted the most recent set of logs, and Avast still thought it found Virtumonde and the win32 rootkit problems. I don't know if that indicates that there are still problems or not -- but wanted to ask. Thanks for all of the help! I definitely appreciate it!!!!!!!!!!!!

Rodav View Member Profile	Aug 18 2008, 03:41 AM Post #13
Senior Member Group: HJT Team Posts: 387 Joined: 21-March 08 Member No.: 197,856	It's likely Avast found those items ComboFixs quarantine, as soon as you do Step 1 from my previous post they will be removed. If you have let Avast remove them that's fine also. If your computer is back running how it should be, I'm fairly certain your computer is now clean. -------------------- MalWare Removal University Master

Shaba View Member Profile	Aug 20 2008, 05:16 AM Post #14
Koutsi Group: HJT Team Coach Posts: 5,768 Joined: 8-July 06 From: Finland Member No.: 75,186	Since this issue appears resolved ... this Topic is closed. Glad we could help. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Microsoft MVP Consumer Security

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 10:37 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides