Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Get Rid Of Red Stop Sign Icon In Tray, Wont Delete


  • Please log in to reply
14 replies to this topic

#1 gunner617

gunner617

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 24 August 2007 - 06:34 PM

my computer has this annoying red stop sign-like icon that warns me of a virus on my computer, when i click on it, it's obviously a pop-up that says "scanning your computer" ... i try to get rid of it, but everytime i restart, its back again.... but after following the tutorial and doing everything as explained, the icon is gone now, but the pop-ups still come.... not as frequent, but its annoying. please help, i know i got alot of virus on my computer... how do i get rid of it????

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:09 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program

Files\Cox\Applications\App\popupbho01.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec

Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-

2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-

2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -

C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) -

http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) -

http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1127453854125
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1145319620734
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) -

http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://auctiva.webex.com/client/v_mywebex-

t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer = 192.168.100.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer =

68.6.16.25,68.6.16.30,68.2.16.30
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. -

C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-

LC\symlcsvc.exe
O24 - Desktop Component 1: Microsoft Outlook Web Access - http://webmail.hoteldel.com/exchange/

--
End of file - 9478 bytes

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 25 August 2007 - 08:49 AM

Hi

I need you to post the logs single spaced as it makes things easier to read:

To remove the double spacing in your log, please do the following:
  • Please go to Start >> Run... and type notepad.exe
  • Hit OK.
  • Now go to Format and uncheck WordWrap.
  • Close Notepad.
Download SmitfraudFix (by S!Ri),to your desktop.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.

-----------------------------------------

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.

Edited by didom, 25 August 2007 - 08:49 AM.


#3 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 August 2007 - 09:55 PM

i unchecked wordwrap... dont know why this is still doubled spaced.... hope this is acceptable....thanx.



SmitFraudFix v2.217

Scan done at 19:43:37.76, Sat 08/25/2007
Run from C:\Documents and Settings\Jr\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer=192.168.100.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7BD226DB-6CCA-466B-A126-2F680C6358A6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer=68.6.16.25,68.6.16.30,68.2.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer=192.168.100.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7BD226DB-6CCA-466B-A126-2F680C6358A6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer=68.6.16.25,68.6.16.30,68.2.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer=192.168.100.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7BD226DB-6CCA-466B-A126-2F680C6358A6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer=68.6.16.25,68.6.16.30,68.2.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Edited by gunner617, 25 August 2007 - 09:57 PM.


#4 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 August 2007 - 10:24 PM

ComboFix 07-08-26 - "Jr" 2007-08-25 20:08:08.1 - FAT32x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.748 [GMT -7:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JR\APPLIC~1\curity~1
C:\DOCUME~1\JR\APPLIC~1\macromedia\Flash Player\#SharedObjects\R876928L\www.inter-focus.cn
C:\DOCUME~1\JR\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Program Files\Common Files\ymbols~1
C:\Program Files\ppatch~1
C:\Program Files\ppatch~1\??pPatch\
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\cdfvtwjd.dll
C:\WINDOWS\system32\pmnopqo.dll
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\wnsintsv32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NWSAPAGENT
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-25 20:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-25 19:48 87,616 --a------ C:\WINDOWS\system32\neygrrjc.dll
2007-08-25 19:43 2,576 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-25 18:03 87,616 --a------ C:\WINDOWS\system32\lgetbnwf.dll
2007-08-25 11:58 87,616 --a------ C:\WINDOWS\system32\wfgoldmj.dll
2007-08-25 01:12 87,616 --a------ C:\WINDOWS\system32\mjamocmb.dll
2007-08-25 00:19 87,616 --a------ C:\WINDOWS\system32\bxufbwku.dll
2007-08-25 00:14 87,616 --------- C:\WINDOWS\system32\tqobvuix.dll
2007-08-24 17:08 87,616 --a------ C:\WINDOWS\system32\swckptbb.dll
2007-08-24 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-24 15:16 87,616 --a------ C:\WINDOWS\system32\vnrqydyj.dll
2007-08-24 04:58 87,616 --a------ C:\WINDOWS\system32\odoesgqf.dll
2007-08-24 04:54 <DIR> d--hs---- C:\FOUND.000
2007-08-24 03:39 87,616 --a------ C:\WINDOWS\system32\fjuhxkop.dll
2007-08-24 03:24 87,616 --a------ C:\WINDOWS\system32\njpmcwxf.dll
2007-08-23 22:09 87,616 --a------ C:\WINDOWS\system32\vsxpxjch.dll
2007-08-23 19:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-23 16:31 <DIR> d-------- C:\DOCUME~1\Jr\.housecall6.6
2007-08-23 16:21 87,616 --a------ C:\WINDOWS\system32\nuldrdig.dll
2007-08-23 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-23 14:34 87,616 --a------ C:\WINDOWS\system32\jyutgars.dll
2007-08-23 13:49 87,616 --------- C:\WINDOWS\system32\leusjmbu.dll
2007-08-23 11:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-23 11:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-23 01:02 87,616 --a------ C:\WINDOWS\system32\qqvqiqsx.dll
2007-08-22 22:19 87,616 --a------ C:\WINDOWS\system32\ssuxviyg.dll
2007-08-22 20:59 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\Symantec
2007-08-22 20:54 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-08-22 20:24 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-22 20:24 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-22 20:24 <DIR> d-------- C:\Program Files\Norton 360
2007-08-22 16:33 87,616 --a------ C:\WINDOWS\system32\noslrdxb.dll
2007-08-22 11:38 87,616 --a------ C:\WINDOWS\system32\dprlkxum.dll
2007-08-21 21:27 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-21 17:55 <DIR> d-------- C:\Program Files\Symantec
2007-08-21 17:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-21 17:54 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-21 13:13 87,616 --a------ C:\WINDOWS\system32\iyfixvcj.dll
2007-08-20 23:55 <DIR> d-------- C:\Program Files\Cox
2007-08-20 23:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Authentium
2007-08-20 23:49 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-08-20 23:19 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-08-20 19:33 93,696 --a------ C:\WINDOWS\system32\drvbul.dll
2007-08-19 23:08 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\.ABC
2007-08-19 18:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Quark
2007-08-19 17:39 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\Quark
2007-08-17 15:34 <DIR> d--h----- C:\DOCUME~1\Guest\InstallAnywhere
2007-08-17 15:34 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\WINDOWS
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\You've Got Pictures Screensaver
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Ulead Systems
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Simple Star
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Leadertech
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Intuit
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\InterVideo
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\InterTrust
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\ExpensAble
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\AOL
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\7100Series
2007-08-14 13:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-13 19:43 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Novatix
2007-08-13 19:42 <DIR> d--h----- C:\DOCUME~1\Malia\InstallAnywhere
2007-08-13 19:42 <DIR> d---s---- C:\DOCUME~1\Malia\UserData
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\WINDOWS
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\You've Got Pictures Screensaver
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Ulead Systems
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Simple Star
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Leadertech
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Intuit
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\InterVideo
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\InterTrust
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\ExpensAble
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\AOL
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\7100Series
2007-08-12 01:32 <DIR> d-------- C:\Program Files\VideoProfessor
2007-08-12 01:07 40,960 --a------ C:\WINDOWS\system32\exitwx.exe
2007-08-02 00:09 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\WinRAR
2007-07-28 18:26 <DIR> d-------- C:\DOCUME~1\LIA~1.LIU\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 11:45 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-23 11:45 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-22 20:26 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-22 20:26 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-19 23:08 --------- d-------- C:\DOCUME~1\JR\APPLIC~1\.ABC
2007-08-12 01:43 817664 ---h----- C:\WINDOWS\system32\wodfamoh.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-17 12:21 186256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-02 12:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 12:41 36624 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-02 12:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 12:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-02 12:41 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-02 12:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 12:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 12:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 12:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 12:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 12:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 12:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 12:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 12:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 12:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 12:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 12:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 12:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 12:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 12:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 12:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 12:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 12:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 12:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-27 14:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-27 07:35 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-08 18:12 348160 --a------ C:\WINDOWS\system32\msvcr71.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-30 23:13]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [2003-10-07 12:14 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineak32]
wineak32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VTTimer"=VTTimer.exe
"VTTrayp"=VTtrayp.exe
"QuickFinder Scheduler"="C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
"PinnacleDriverCheck"=C:\WINDOWS\System32\PSDrvCheck.exe
"FLMK08KB"=C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
"PowerS"=C:\WINDOWSPowerS.exe
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
"SetDefPrt"=C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"SoundMan"=SOUNDMAN.EXE
"workflo"=D:\install\workflow.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Realtime Audio Engine"=mmrtkrnl.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ESP"=C:\Program Files\Cox\Applications\app\start.exe
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R2 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\System32\Machnm32.sys
R2 MarxDev1;MarxDev1;C:\WINDOWS\system32\drivers\MarxDev1.sys
R2 MarxDev2;MarxDev2;C:\WINDOWS\system32\drivers\MarxDev2.sys
R2 MarxDev3;MarxDev3;C:\WINDOWS\system32\drivers\MarxDev3.sys
R3 CXTuner;Conexant TVTuner;C:\WINDOWS\system32\drivers\CXTuner.sys
R3 CXVideo;Conexant Capture;C:\WINDOWS\system32\drivers\CXVCap.sys
R3 CXXBar;Conexant Crossbar;C:\WINDOWS\system32\drivers\CXXBar.sys
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys
S2 Ca536av;Take-it DV Series;C:\WINDOWS\system32\Drivers\Ca536av.sys
S3 BEFCMV3XP;Linksys BEFCMU10 EtherFast Cable Modem;C:\WINDOWS\system32\DRIVERS\BEFCM3XP.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 dTVdrvNT;dTVdrvNT;\??\H:\IOMEGA_HD1 (G)\program file\AV Music Morpher Gold\Effects\DirectX\dTVdrvNT.sys
S3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys
S3 USBCamera;Take-it DSC Series;C:\WINDOWS\system32\Drivers\Bulk536.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-08-26 03:00:00 C:\WINDOWS\Tasks\A0F0C2BD918B7981.job - c:\docume~1\jr\applic~1\helpai~1\itchbindsoap.exe
2007-08-24 23:33:02 C:\WINDOWS\Tasks\{6D2DE558-B1BC-43AC-B6E0-61B1BA9BF48B}_LIUFAU_Jr.job - C:\WINDOWS\system32\mobsync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 20:14:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-25 20:15:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-25 20:16

--- E O F ---

#5 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 26 August 2007 - 04:30 PM

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\WINDOWS\system32\neygrrjc.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\lgetbnwf.dll
C:\WINDOWS\system32\wfgoldmj.dll
C:\WINDOWS\system32\mjamocmb.dll
C:\WINDOWS\system32\bxufbwku.dll
C:\WINDOWS\system32\tqobvuix.dll
C:\WINDOWS\system32\swckptbb.dll
C:\WINDOWS\system32\vnrqydyj.dll
C:\WINDOWS\system32\odoesgqf.dll
C:\WINDOWS\system32\fjuhxkop.dll
C:\WINDOWS\system32\njpmcwxf.dll
C:\WINDOWS\system32\vsxpxjch.dll
C:\WINDOWS\system32\nuldrdig.dll
C:\WINDOWS\system32\jyutgars.dll
C:\WINDOWS\system32\leusjmbu.dll
C:\WINDOWS\system32\qqvqiqsx.dll
C:\WINDOWS\system32\ssuxviyg.dll
C:\WINDOWS\system32\noslrdxb.dll
C:\WINDOWS\system32\dprlkxum.dll
C:\WINDOWS\system32\iyfixvcj.dll
C:\WINDOWS\system32\drvbul.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineak32]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Please post the log from the ComboFix scan located at C:\ComboFix.txt together with a new hijackthislog.

#6 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 27 August 2007 - 01:23 AM

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Jr\Desktop
[8/26/2007]
[11:13:39 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\A0F0C2BD918B7981.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\7100series
C:\Documents and Settings\Default User\Application Data\Ulead Systems
C:\Documents and Settings\Default User\Application Data\Intervideo
C:\Documents and Settings\Default User\Application Data\Leadertech
C:\Documents and Settings\Default User\Application Data\Simple Star
C:\Documents and Settings\Default User\Application Data\Adobe
C:\Documents and Settings\Default User\Application Data\Intertrust
C:\Documents and Settings\Default User\Application Data\Expensable
C:\Documents and Settings\Default User\Application Data\Macromedia
C:\Documents and Settings\Default User\Application Data\Intuit
C:\Documents and Settings\Default User\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Default User\Application Data\Mozilla
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Netscape Internet Service -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Individual Software
C:\Documents and Settings\All Users\Application Data\Broderbund Software
C:\Documents and Settings\All Users\Application Data\Broderbund Llc
C:\Documents and Settings\All Users\Application Data\Intervideo
C:\Documents and Settings\All Users\Application Data\Ulead Systems
C:\Documents and Settings\All Users\Application Data\Brother
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Mca14.tmp
C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Ipswitch
C:\Documents and Settings\All Users\Application Data\Kodak -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Nch Swift Sound
C:\Documents and Settings\All Users\Application Data\Mca16.tmp
C:\Documents and Settings\All Users\Application Data\Smilebox
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\All Users\Application Data\Mozilla
C:\Documents and Settings\All Users\Application Data\Copydashlogoroam
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Quark
C:\Documents and Settings\All Users\Application Data\Authentium
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Jr\Application Data\Identities
C:\Documents and Settings\Jr\Application Data\Mozilla
C:\Documents and Settings\Jr\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Jr\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Jr\Application Data\Intuit
C:\Documents and Settings\Jr\Application Data\Macromedia
C:\Documents and Settings\Jr\Application Data\Expensable
C:\Documents and Settings\Jr\Application Data\Intertrust
C:\Documents and Settings\Jr\Application Data\Adobe
C:\Documents and Settings\Jr\Application Data\Simple Star
C:\Documents and Settings\Jr\Application Data\Leadertech
C:\Documents and Settings\Jr\Application Data\Intervideo
C:\Documents and Settings\Jr\Application Data\Ulead Systems
C:\Documents and Settings\Jr\Application Data\7100series
C:\Documents and Settings\Jr\Application Data\Microsoft
C:\Documents and Settings\Jr\Application Data\Aladdin Systems
C:\Documents and Settings\Jr\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Jr\Application Data\Brother
C:\Documents and Settings\Jr\Application Data\Sun
C:\Documents and Settings\Jr\Application Data\Roxio
C:\Documents and Settings\Jr\Application Data\Arcsoft
C:\Documents and Settings\Jr\Application Data\Adobeum
C:\Documents and Settings\Jr\Application Data\Snapfish
C:\Documents and Settings\Jr\Application Data\Apple Computer
C:\Documents and Settings\Jr\Application Data\Corel
C:\Documents and Settings\Jr\Application Data\Help
C:\Documents and Settings\Jr\Application Data\Template -- EMPTY Directory
C:\Documents and Settings\Jr\Application Data\Icaclient -- EMPTY Directory
C:\Documents and Settings\Jr\Application Data\Ipswitch
C:\Documents and Settings\Jr\Application Data\Novatix
C:\Documents and Settings\Jr\Application Data\Avs Video Converter
C:\Documents and Settings\Jr\Application Data\Mcafee
C:\Documents and Settings\Jr\Application Data\Seven Zip
C:\Documents and Settings\Jr\Application Data\Nch Swift Sound
C:\Documents and Settings\Jr\Application Data\Recordpad -- EMPTY Directory
C:\Documents and Settings\Jr\Application Data\Smartdraw
C:\Documents and Settings\Jr\Application Data\Real
C:\Documents and Settings\Jr\Application Data\Divx
C:\Documents and Settings\Jr\Application Data\Myspace
C:\Documents and Settings\Jr\Application Data\Smilebox
C:\Documents and Settings\Jr\Application Data\Ebooksys
C:\Documents and Settings\Jr\Application Data\Viewpoint
C:\Documents and Settings\Jr\Application Data\Ahead
C:\Documents and Settings\Jr\Application Data\Talkback
C:\Documents and Settings\Jr\Application Data\Move Networks
C:\Documents and Settings\Jr\Application Data\Help Aim Ooze
C:\Documents and Settings\Jr\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Jr\Application Data\Quark
C:\Documents and Settings\Jr\Application Data\.abc
C:\Documents and Settings\Jr\Application Data\Symantec
C:\Documents and Settings\Owner\Application Data\Simple Star
C:\Documents and Settings\Owner\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Lia\Application Data\Mozilla
C:\Documents and Settings\Lia\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Lia\Application Data\Intuit
C:\Documents and Settings\Lia\Application Data\Macromedia
C:\Documents and Settings\Lia\Application Data\Expensable
C:\Documents and Settings\Lia\Application Data\Adobe
C:\Documents and Settings\Lia\Application Data\Simple Star
C:\Documents and Settings\Lia\Application Data\Leadertech
C:\Documents and Settings\Lia\Application Data\Ulead Systems
C:\Documents and Settings\Lia\Application Data\7100series
C:\Documents and Settings\Lia\Application Data\Microsoft
C:\Documents and Settings\Lia\Application Data\Roxio
C:\Documents and Settings\Lia.liufau\Application Data\Identities
C:\Documents and Settings\Lia.liufau\Application Data\Mozilla
C:\Documents and Settings\Lia.liufau\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Lia.liufau\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Lia.liufau\Application Data\Intuit
C:\Documents and Settings\Lia.liufau\Application Data\Macromedia
C:\Documents and Settings\Lia.liufau\Application Data\Expensable
C:\Documents and Settings\Lia.liufau\Application Data\Intertrust
C:\Documents and Settings\Lia.liufau\Application Data\Adobe
C:\Documents and Settings\Lia.liufau\Application Data\Simple Star
C:\Documents and Settings\Lia.liufau\Application Data\Leadertech
C:\Documents and Settings\Lia.liufau\Application Data\Intervideo
C:\Documents and Settings\Lia.liufau\Application Data\Ulead Systems
C:\Documents and Settings\Lia.liufau\Application Data\7100series
C:\Documents and Settings\Lia.liufau\Application Data\Microsoft
C:\Documents and Settings\Lia.liufau\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Lia.liufau\Application Data\Roxio
C:\Documents and Settings\Lia.liufau\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Lia.liufau\Application Data\Brother
C:\Documents and Settings\Lia.liufau\Application Data\Sun
C:\Documents and Settings\Lia.liufau\Application Data\Apple Computer
C:\Documents and Settings\Lia.liufau\Application Data\Installshield
C:\Documents and Settings\Lia.liufau\Application Data\Real
C:\Documents and Settings\Lia.liufau\Application Data\Myspace
C:\Documents and Settings\Lia.liufau\Application Data\Talkback
C:\Documents and Settings\Joseph\Application Data\Mozilla
C:\Documents and Settings\Joseph\Application Data\Intuit
C:\Documents and Settings\Joseph\Application Data\Macromedia
C:\Documents and Settings\Joseph\Application Data\Expensable
C:\Documents and Settings\Joseph\Application Data\Adobe
C:\Documents and Settings\Joseph\Application Data\Simple Star
C:\Documents and Settings\Joseph\Application Data\Leadertech
C:\Documents and Settings\Joseph\Application Data\Ulead Systems
C:\Documents and Settings\Joseph\Application Data\7100series
C:\Documents and Settings\Joseph\Application Data\Microsoft
C:\Documents and Settings\Joseph\Application Data\Roxio
C:\Documents and Settings\Joseph\Application Data\Aladdin Systems
C:\Documents and Settings\Baby Tesa\Application Data\Mozilla
C:\Documents and Settings\Baby Tesa\Application Data\Intuit
C:\Documents and Settings\Baby Tesa\Application Data\Macromedia
C:\Documents and Settings\Baby Tesa\Application Data\Expensable
C:\Documents and Settings\Baby Tesa\Application Data\Adobe
C:\Documents and Settings\Baby Tesa\Application Data\Simple Star
C:\Documents and Settings\Baby Tesa\Application Data\Leadertech
C:\Documents and Settings\Baby Tesa\Application Data\Ulead Systems
C:\Documents and Settings\Baby Tesa\Application Data\7100series
C:\Documents and Settings\Baby Tesa\Application Data\Microsoft
C:\Documents and Settings\Baby Tesa\Application Data\Roxio
C:\Documents and Settings\Baby Tesa\Application Data\Identities
C:\Documents and Settings\Baby Tesa\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Baby Tesa\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Baby Tesa\Application Data\Intertrust
C:\Documents and Settings\Baby Tesa\Application Data\Intervideo
C:\Documents and Settings\Baby Tesa\Application Data\Mcafee.com Personal Firewall -- EMPTY Directory
C:\Documents and Settings\Baby Tesa\Application Data\Real
C:\Documents and Settings\Baby Tesa\Application Data\Sun
C:\Documents and Settings\Baby Tesa\Application Data\Myspace
C:\Documents and Settings\Baby Tesa\Application Data\Talkback
C:\Documents and Settings\Application Data\Application Data\Microsoft
C:\Documents and Settings\Administrator.liufau\Application Data\Mozilla
C:\Documents and Settings\Administrator.liufau\Application Data\Intuit
C:\Documents and Settings\Administrator.liufau\Application Data\Macromedia
C:\Documents and Settings\Administrator.liufau\Application Data\Expensable
C:\Documents and Settings\Administrator.liufau\Application Data\Adobe
C:\Documents and Settings\Administrator.liufau\Application Data\Simple Star
C:\Documents and Settings\Administrator.liufau\Application Data\Leadertech
C:\Documents and Settings\Administrator.liufau\Application Data\Ulead Systems
C:\Documents and Settings\Administrator.liufau\Application Data\7100series
C:\Documents and Settings\Administrator.liufau\Application Data\Microsoft
C:\Documents and Settings\Administrator.liufau.000\Application Data\Identities
C:\Documents and Settings\Administrator.liufau.000\Application Data\Mozilla
C:\Documents and Settings\Administrator.liufau.000\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Administrator.liufau.000\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Administrator.liufau.000\Application Data\Intuit
C:\Documents and Settings\Administrator.liufau.000\Application Data\Macromedia
C:\Documents and Settings\Administrator.liufau.000\Application Data\Expensable
C:\Documents and Settings\Administrator.liufau.000\Application Data\Intertrust
C:\Documents and Settings\Administrator.liufau.000\Application Data\Adobe
C:\Documents and Settings\Administrator.liufau.000\Application Data\Simple Star
C:\Documents and Settings\Administrator.liufau.000\Application Data\Leadertech
C:\Documents and Settings\Administrator.liufau.000\Application Data\Intervideo
C:\Documents and Settings\Administrator.liufau.000\Application Data\Ulead Systems
C:\Documents and Settings\Administrator.liufau.000\Application Data\7100series
C:\Documents and Settings\Administrator.liufau.000\Application Data\Microsoft
C:\Documents and Settings\Malia\Application Data\Identities
C:\Documents and Settings\Malia\Application Data\Mozilla
C:\Documents and Settings\Malia\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Malia\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Malia\Application Data\Intuit
C:\Documents and Settings\Malia\Application Data\Macromedia
C:\Documents and Settings\Malia\Application Data\Expensable
C:\Documents and Settings\Malia\Application Data\Intertrust
C:\Documents and Settings\Malia\Application Data\Adobe
C:\Documents and Settings\Malia\Application Data\Simple Star
C:\Documents and Settings\Malia\Application Data\Leadertech
C:\Documents and Settings\Malia\Application Data\Intervideo
C:\Documents and Settings\Malia\Application Data\Ulead Systems
C:\Documents and Settings\Malia\Application Data\7100series
C:\Documents and Settings\Malia\Application Data\Microsoft
C:\Documents and Settings\Malia\Application Data\Novatix
C:\Documents and Settings\Guest\Application Data\Identities
C:\Documents and Settings\Guest\Application Data\Mozilla
C:\Documents and Settings\Guest\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Guest\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Guest\Application Data\Intuit
C:\Documents and Settings\Guest\Application Data\Macromedia
C:\Documents and Settings\Guest\Application Data\Expensable
C:\Documents and Settings\Guest\Application Data\Intertrust
C:\Documents and Settings\Guest\Application Data\Adobe
C:\Documents and Settings\Guest\Application Data\Simple Star
C:\Documents and Settings\Guest\Application Data\Leadertech
C:\Documents and Settings\Guest\Application Data\Intervideo
C:\Documents and Settings\Guest\Application Data\Ulead Systems
C:\Documents and Settings\Guest\Application Data\7100series
C:\Documents and Settings\Guest\Application Data\Microsoft









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:46 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127453854125
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145319620734
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://auctiva.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer = 192.168.100.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer = 68.6.16.25,68.6.16.30,68.2.16.30
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9011 bytes

#7 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 27 August 2007 - 01:41 AM

heres the combofix log with new hijackthislog.........




ComboFix 07-08-26 - "Jr" 2007-08-26 23:29:58.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.592 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Jr\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\neygrrjc.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\lgetbnwf.dll
C:\WINDOWS\system32\wfgoldmj.dll
C:\WINDOWS\system32\mjamocmb.dll
C:\WINDOWS\system32\bxufbwku.dll
C:\WINDOWS\system32\tqobvuix.dll
C:\WINDOWS\system32\swckptbb.dll
C:\WINDOWS\system32\vnrqydyj.dll
C:\WINDOWS\system32\odoesgqf.dll
C:\WINDOWS\system32\fjuhxkop.dll
C:\WINDOWS\system32\njpmcwxf.dll
C:\WINDOWS\system32\vsxpxjch.dll
C:\WINDOWS\system32\nuldrdig.dll
C:\WINDOWS\system32\jyutgars.dll
C:\WINDOWS\system32\leusjmbu.dll
C:\WINDOWS\system32\qqvqiqsx.dll
C:\WINDOWS\system32\ssuxviyg.dll
C:\WINDOWS\system32\noslrdxb.dll
C:\WINDOWS\system32\dprlkxum.dll
C:\WINDOWS\system32\iyfixvcj.dll
C:\WINDOWS\system32\drvbul.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bxufbwku.dll
C:\WINDOWS\system32\dprlkxum.dll
C:\WINDOWS\system32\drvbul.dll
C:\WINDOWS\system32\fjuhxkop.dll
C:\WINDOWS\system32\iyfixvcj.dll
C:\WINDOWS\system32\jyutgars.dll
C:\WINDOWS\system32\leusjmbu.dll
C:\WINDOWS\system32\lgetbnwf.dll
C:\WINDOWS\system32\mjamocmb.dll
C:\WINDOWS\system32\neygrrjc.dll
C:\WINDOWS\system32\njpmcwxf.dll
C:\WINDOWS\system32\noslrdxb.dll
C:\WINDOWS\system32\nuldrdig.dll
C:\WINDOWS\system32\odoesgqf.dll
C:\WINDOWS\system32\qqvqiqsx.dll
C:\WINDOWS\system32\ssuxviyg.dll
C:\WINDOWS\system32\swckptbb.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tqobvuix.dll
C:\WINDOWS\system32\vnrqydyj.dll
C:\WINDOWS\system32\vsxpxjch.dll
C:\WINDOWS\system32\wfgoldmj.dll


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-26 23:14 <DIR> d-------- C:\NoLopBackups
2007-08-25 22:10 1,901 --a------ C:\WINDOWS\panose.bin
2007-08-25 21:53 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-08-25 21:53 <DIR> d-------- C:\Kpcms
2007-08-25 20:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-24 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-24 04:54 <DIR> d--hs---- C:\FOUND.000
2007-08-23 19:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-23 16:31 <DIR> d-------- C:\DOCUME~1\Jr\.housecall6.6
2007-08-23 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-23 11:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-23 11:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-22 20:59 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\Symantec
2007-08-22 20:54 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-08-22 20:24 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-22 20:24 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-22 20:24 <DIR> d-------- C:\Program Files\Norton 360
2007-08-21 21:27 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-21 17:55 <DIR> d-------- C:\Program Files\Symantec
2007-08-21 17:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-21 17:54 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-20 23:55 <DIR> d-------- C:\Program Files\Cox
2007-08-20 23:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Authentium
2007-08-20 23:49 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-08-20 23:19 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-08-19 23:08 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\.ABC
2007-08-19 18:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Quark
2007-08-19 17:39 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\Quark
2007-08-17 15:34 <DIR> d--h----- C:\DOCUME~1\Guest\InstallAnywhere
2007-08-17 15:34 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\WINDOWS
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\You've Got Pictures Screensaver
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Ulead Systems
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Simple Star
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Leadertech
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Intuit
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\InterVideo
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\InterTrust
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\ExpensAble
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\AOL
2007-08-17 15:34 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\7100Series
2007-08-14 13:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-13 19:43 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Novatix
2007-08-13 19:42 <DIR> d--h----- C:\DOCUME~1\Malia\InstallAnywhere
2007-08-13 19:42 <DIR> d---s---- C:\DOCUME~1\Malia\UserData
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\WINDOWS
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\You've Got Pictures Screensaver
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Ulead Systems
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Simple Star
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Leadertech
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\Intuit
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\InterVideo
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\InterTrust
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\ExpensAble
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\AOL
2007-08-13 19:42 <DIR> d-------- C:\DOCUME~1\Malia\APPLIC~1\7100Series
2007-08-12 01:32 <DIR> d-------- C:\Program Files\VideoProfessor
2007-08-12 01:07 40,960 --a------ C:\WINDOWS\system32\exitwx.exe
2007-08-02 00:09 <DIR> d-------- C:\DOCUME~1\Jr\APPLIC~1\WinRAR
2007-07-28 18:26 <DIR> d-------- C:\DOCUME~1\LIA~1.LIU\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 11:45 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-23 11:45 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-22 20:26 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-22 20:26 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-19 23:08 --------- d-------- C:\DOCUME~1\JR\APPLIC~1\.ABC
2007-08-12 01:43 817664 ---h----- C:\WINDOWS\system32\wodfamoh.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-17 12:21 186256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-02 12:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 12:41 36624 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-02 12:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 12:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-02 12:41 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-02 12:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 12:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 12:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 12:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 12:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 12:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 12:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 12:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 12:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 12:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 12:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 12:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 12:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 12:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 12:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 12:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 12:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 12:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 12:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-27 14:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-27 07:35 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-08 18:12 348160 --a------ C:\WINDOWS\system32\msvcr71.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-30 23:13]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

C:\DOCUME~1\JR\STARTM~1\PROGRAMS\STARTUP\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-08-18 03:44:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [2003-10-07 12:14 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VTTimer"=VTTimer.exe
"VTTrayp"=VTtrayp.exe
"QuickFinder Scheduler"="C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
"PinnacleDriverCheck"=C:\WINDOWS\System32\PSDrvCheck.exe
"FLMK08KB"=C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
"PowerS"=C:\WINDOWSPowerS.exe
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
"SetDefPrt"=C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"SoundMan"=SOUNDMAN.EXE
"workflo"=D:\install\workflow.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Realtime Audio Engine"=mmrtkrnl.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ESP"=C:\Program Files\Cox\Applications\app\start.exe
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R2 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\System32\Machnm32.sys
R2 MarxDev1;MarxDev1;C:\WINDOWS\system32\drivers\MarxDev1.sys
R2 MarxDev2;MarxDev2;C:\WINDOWS\system32\drivers\MarxDev2.sys
R2 MarxDev3;MarxDev3;C:\WINDOWS\system32\drivers\MarxDev3.sys
R3 CXTuner;Conexant TVTuner;C:\WINDOWS\system32\drivers\CXTuner.sys
R3 CXVideo;Conexant Capture;C:\WINDOWS\system32\drivers\CXVCap.sys
R3 CXXBar;Conexant Crossbar;C:\WINDOWS\system32\drivers\CXXBar.sys
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys
S2 Ca536av;Take-it DV Series;C:\WINDOWS\system32\Drivers\Ca536av.sys
S3 BEFCMV3XP;Linksys BEFCMU10 EtherFast Cable Modem;C:\WINDOWS\system32\DRIVERS\BEFCM3XP.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 dTVdrvNT;dTVdrvNT;\??\H:\IOMEGA_HD1 (G)\program file\AV Music Morpher Gold\Effects\DirectX\dTVdrvNT.sys
S3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys
S3 USBCamera;Take-it DSC Series;C:\WINDOWS\system32\Drivers\Bulk536.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-08-24 23:33:02 C:\WINDOWS\Tasks\{6D2DE558-B1BC-43AC-B6E0-61B1BA9BF48B}_LIUFAU_Jr.job - C:\WINDOWS\system32\mobsync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 23:34:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 23:36:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-08-25 20:16
C:\ComboFix-quarantined-files.txt ... 2007-08-26 23:36

--- E O F ---







HERE'S THE NEW HIJACK THIS LOG....




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:55 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127453854125
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145319620734
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://auctiva.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer = 192.168.100.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer = 68.6.16.25,68.6.16.30,68.2.16.30
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9025 bytes

#8 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 27 August 2007 - 01:49 AM

FROM JOTTI'S MALWARE SCAN RESULTS:



Scan taken on 27 Aug 2007 06:45:23 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#9 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 27 August 2007 - 06:17 AM

Scan again with HijackThis and check the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll (file missing)

O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll (file missing)

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer.

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Start HijackThis and perform a new scan.

Use the Add Reply button to post your new logs back here along with as details of any problems you encountered performing the above steps and I will review it when it comes in.

#10 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 27 August 2007 - 05:24 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-08-27 15:22
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/08/2007
Kaspersky Anti-Virus database records: 392996
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 116167
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:10:57

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-08-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9E701BF6.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\CA13165D.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jr\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jr\Local Settings\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jr\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jr\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jr\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jr\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Jr\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jr\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\history.dat Object is locked skipped
C:\Documents and Settings\Jr\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jr\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jr\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\key3.db Object is locked skipped
C:\Documents and Settings\Jr\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Jr\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jr\Application Data\Mozilla\Firefox\Profiles\q9v81j4u.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jr\ntuser.dat Object is locked skipped
C:\Documents and Settings\Lia.LIUFAU\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lia.LIUFAU\ntuser.dat Object is locked skipped
C:\Documents and Settings\Baby Tesa\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Baby Tesa\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator.LIUFAU.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.LIUFAU.000\ntuser.dat Object is locked skipped
C:\Documents and Settings\Malia\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Malia\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Guest\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Guest\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\System Volume Information\_restore{627BEF57-C8FA-4930-B766-E7A44887C531}\RP3\A0000146.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{627BEF57-C8FA-4930-B766-E7A44887C531}\RP3\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnopqo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drvbul.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\Install\PC DJ Mixing Software\PCDJ.exe Infected: not-a-virus:AdWare.Win32.TimeSink.d skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#11 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 27 August 2007 - 05:27 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:25, on 2007-08-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Lia')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-1008\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe (User 'Lia')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-1008\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" (User 'Lia')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Lia')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Lia')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Baby Tesa')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-1011\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Malia')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-500\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1974565712-2111342016-2801439982-501\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Guest')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127453854125
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145319620734
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://auctiva.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer = 192.168.100.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer = 68.6.16.25,68.6.16.30,68.2.16.30
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10096 bytes

#12 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 27 August 2007 - 09:48 PM

also... once in a while i would get an error box that would pop up saying:




Microsoft Visula C++ Runtime Library Runtime Error!

Program: C:\Program\Common Files\Symantec Shared\ccSvcHst.exe

This application has requested the Runtime to terminate it in an unusual way. Please contact the applications support team for mor information.




....what does this mean?????

#13 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 28 August 2007 - 02:08 PM

Scan again with HijackThis and check the following items:
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\

After checking these items, close all browser windows except HijackThis and click "Fix checked".

also... once in a while i would get an error box that would pop up saying:




Microsoft Visula C++ Runtime Library Runtime Error!

Program: C:\Program\Common Files\Symantec Shared\ccSvcHst.exe

This application has requested the Runtime to terminate it in an unusual way. Please contact the applications support team for mor information.




....what does this mean?????

Please read this article from Microsoft: http://support.microsoft.com/?scid=kb%3Ben...p;x=10&y=15

I think that hotfix will solve the problem.



Post a fresh HijackThis log and tell me how your computer is running now in your next reply.

#14 gunner617

gunner617
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 28 August 2007 - 03:51 PM

everything seems to be running smoothly...so far.... but ill let u know if anything else arises... thanks



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40, on 2007-08-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127453854125
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145319620734
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://auctiva.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65819C9F-CE06-4657-8B3D-2CAE96B2C12A}: NameServer = 192.168.100.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6D61133-9686-4AB4-8817-C1DCD69AAC13}: NameServer = 68.6.16.25,68.6.16.30,68.2.16.30
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8498 bytes

#15 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 29 August 2007 - 02:06 AM

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
    • Turn off System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • Check "Turn off System Restore".
      • Click Apply, and then click OK.
    • Reboot your computer.
    • Turn ON System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • UN-Check "Turn off System Restore".
      • Click Apply, and then click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users