Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad Pop-ups From Winfixer Or Something Like It


  • This topic is locked This topic is locked
13 replies to this topic

#1 Coz80

Coz80

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 28 August 2007 - 08:46 AM

So far, I have ran Spy Blaster, Ad-Aware, Virtumudobegone.exe, Vundofix.exe, Norton's, and House Call by Trend Micro. I believe I have removed any viruses that were on my system. However, after running all of these programs, I still have the annoying pop-ups from Circuit City, Heavy.com, upliftsearch.com, broadcaster.com, and many others. It isn't as bad as before, but they are still popping up. This thing will just not go away. I was hoping someone here would be able to help me get rid of this pop-up. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:52 AM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\system32\mjpsypjr.dll
O2 - BHO: (no name) - {47F3C7CA-93D7-4837-8333-AE15732BD97C} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8071 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 28 August 2007 - 09:33 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Coz80 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Download Systemscan and save it to your desktop.
Double-click on Systemscan.exe to run the tool.
A warning box will appear. Please read and click Ok.
When SystemScan opens, click the "Unselect all" button.
Important: under "Make your choice and than click..." check the boxes next to:

PC accounts
Recent files (60 days)
Hidden Objects


Everything else should be unchecked.
Click "Scan Now".
Another warning box will appear. Please follow the instructions and click Ok.
Systemscan will scan your computer and create a folder at C:\suspectfile to save the log files. Please be patient while the scan is in progress.
When the scan is complete, Notepad will automatically open a log file named report.txt.
This log file will show a list of all user accounts, all files/folders created in the last 60 days and any Hidden files that were found.
Copy and paste the contents of report.txt in your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Coz80

Coz80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 28 August 2007 - 10:33 AM

I appreciate the help RitchieUK. I followed the steps and this is a post of the Systemscan log:

SystemScan - www.suspectfile.com - ver. 3.2.0

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS

Date: 8/28/2007
Time: 11:24:44 AM

Output limited to:
-Recent files
-PC accounts
-Hidden objects

===================== Accounts on this PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| ASPNET
| Guest (Disabled)
| HelpAssistant (Disabled)
Yes | Owner
| SUPPORT_388945a0 (Disabled)

### users folders

19/08/2004 21:16:17 (DIR) 0 byte 1104 days old -- LocalService
05/01/2005 14:52:53 (DIR) 0 byte 965 days old -- Default User
05/01/2005 14:53:03 (DIR) 0 byte 965 days old -- All Users
31/01/2006 17:21:21 (DIR) 0 byte 574 days old -- Administrator
28/04/2006 09:05:16 (DIR) 0 byte 487 days old -- NetworkService
28/08/2007 11:10:11 (DIR) 0 byte 0 days old -- Owner

===================== Recent files (60 days old)=====================

----- recent files in C:\
24/08/2007 13:29:31 211 byte 4 days old -- boot.ini
28/08/2007 09:18:58 188 byte 0 days old -- VundoFix.txt
28/08/2007 11:11:05 792723456 byte 0 days old -- pagefile.sys
28/08/2007 11:11:09 (DIR)527220736 byte 0 days old -- hiberfil.sys
28/08/2007 11:13:07 (DIR) 0 byte 0 days old -- Program Files
28/08/2007 11:13:46 (DIR) 0 byte 0 days old -- Config.Msi
28/08/2007 11:13:49 (DIR) 0 byte 0 days old -- WINDOWS
28/08/2007 11:24:44 (DIR) 0 byte 0 days old -- suspectfile

----- recent files in C:\WINDOWS\
24/07/2007 09:16:47 573 byte 35 days old -- ODBC.INI
15/08/2007 08:40:07 (DIR) 0 byte 13 days old -- $hf_mig$
15/08/2007 14:00:58 (DIR) 0 byte 13 days old -- WinSxS
15/08/2007 14:01:03 290278 byte 13 days old -- msxml4-KB936181-enu.LOG
15/08/2007 14:02:30 (DIR) 0 byte 13 days old -- $NtUninstallKB937143$
15/08/2007 14:03:08 36238 byte 13 days old -- KB937143.log
15/08/2007 14:03:20 (DIR) 0 byte 13 days old -- $NtUninstallKB938127$
15/08/2007 14:03:24 18709 byte 13 days old -- KB938127.log
15/08/2007 14:06:03 (DIR) 0 byte 13 days old -- $NtUninstallKB938829$
15/08/2007 14:06:06 18944 byte 13 days old -- KB938829.log
15/08/2007 14:06:11 (DIR) 0 byte 13 days old -- $NtUninstallKB921503$
15/08/2007 14:06:13 19057 byte 13 days old -- KB921503.log
15/08/2007 14:07:03 (DIR) 0 byte 13 days old -- $NtUninstallKB936782_WMP9$
15/08/2007 14:07:09 16182 byte 13 days old -- KB936782.log
15/08/2007 14:07:09 118020 byte 13 days old -- wmsetup.log
15/08/2007 14:07:17 (DIR) 0 byte 13 days old -- $NtUninstallKB938828$
15/08/2007 14:07:20 19688 byte 13 days old -- KB938828.log
15/08/2007 14:07:20 1374 byte 13 days old -- imsins.BAK
15/08/2007 14:07:24 (DIR) 0 byte 13 days old -- $NtUninstallKB936021$
15/08/2007 14:07:25 111226 byte 13 days old -- updspapi.log
15/08/2007 14:07:27 47739 byte 13 days old -- ocmsn.log
15/08/2007 14:07:27 336075 byte 13 days old -- tsoc.log
15/08/2007 14:07:27 414177 byte 13 days old -- ocgen.log
15/08/2007 14:07:27 43204 byte 13 days old -- msgsocm.log
15/08/2007 14:07:27 176673 byte 13 days old -- ntdtcsetup.log
15/08/2007 14:07:27 138427 byte 13 days old -- iis6.log
15/08/2007 14:07:27 293359 byte 13 days old -- comsetup.log
15/08/2007 14:07:27 861826 byte 13 days old -- FaxSetup.log
15/08/2007 14:07:27 1374 byte 13 days old -- imsins.log
15/08/2007 14:07:27 20181 byte 13 days old -- KB936021.log
15/08/2007 15:02:43 12980 byte 13 days old -- spupdsvc.log
23/08/2007 12:53:34 (DIR) 0 byte 5 days old -- Registration
24/08/2007 08:48:44 (DIR) 0 byte 4 days old -- inf
24/08/2007 13:29:07 (DIR) 0 byte 4 days old -- pss
24/08/2007 13:29:31 653 byte 4 days old -- win.ini
24/08/2007 13:29:31 227 byte 4 days old -- system.ini
24/08/2007 15:58:45 356879 byte 4 days old -- setupapi.log
24/08/2007 15:58:45 (DIR) 0 byte 4 days old -- Downloaded Program Files
24/08/2007 16:22:43 555566 byte 4 days old -- ntbtlog.txt
25/08/2007 11:54:42 5277 byte 3 days old -- IE4 Error Log.txt
27/08/2007 11:25:10 (DIR) 0 byte 1 days old -- Help
28/08/2007 11:10:28 32656 byte 0 days old -- SchedLgU.Txt
28/08/2007 11:11:11 2048 byte 0 days old -- bootstat.dat
28/08/2007 11:11:27 49 byte 0 days old -- wiaservc.log
28/08/2007 11:11:28 159 byte 0 days old -- wiadebug.log
28/08/2007 11:11:30 0 byte 0 days old -- 0.log
28/08/2007 11:11:30 2055597 byte 0 days old -- WindowsUpdate.log
28/08/2007 11:13:19 (DIR) 0 byte 0 days old -- Prefetch
28/08/2007 11:13:45 (DIR) 0 byte 0 days old -- system32
28/08/2007 11:13:46 (DIR) 0 byte 0 days old -- Installer
28/08/2007 11:17:47 (DIR) 0 byte 0 days old -- Temp
11/07/2007 14:00:33 (DIR) 0 byte 48 days old -- $NtUninstallKB936357$
11/07/2007 14:00:39 11390 byte 48 days old -- KB936357.log

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
03/08/2007 00:34:10 16789464 byte 25 days old -- MRT.exe
16/07/2007 08:41:38 294072 byte 43 days old -- FNTCACHE.DAT
30/07/2007 19:18:14 20312 byte 29 days old -- wuaueng.dll.mui
30/07/2007 19:18:40 33624 byte 29 days old -- wups.dll
30/07/2007 19:18:44 34136 byte 29 days old -- wucltui.dll.mui
30/07/2007 19:19:02 25944 byte 29 days old -- wuapi.dll.mui
30/07/2007 19:19:12 43352 byte 29 days old -- wups2.dll
30/07/2007 19:19:16 53080 byte 29 days old -- wuauclt.exe
30/07/2007 19:19:20 92504 byte 29 days old -- cdm.dll
30/07/2007 19:19:28 203096 byte 29 days old -- wuweb.dll
30/07/2007 19:19:28 216408 byte 29 days old -- wuaucpl.cpl
30/07/2007 19:19:32 25944 byte 29 days old -- wuaucpl.cpl.mui
30/07/2007 19:19:32 325976 byte 29 days old -- wucltui.dll
30/07/2007 19:19:36 549720 byte 29 days old -- wuapi.dll
30/07/2007 19:19:42 1712984 byte 29 days old -- wuaueng.dll
15/08/2007 12:49:58 0 byte 13 days old -- FlashPaper2PrinterPort
23/08/2007 16:20:36 (DIR) 0 byte 5 days old -- dllz1
23/08/2007 16:20:45 43542 byte 5 days old -- fccawvu.dll.vir
24/08/2007 08:46:09 70208 byte 4 days old -- ifmjbaxx.dll
24/08/2007 10:55:46 (DIR) 0 byte 4 days old -- dllcache
24/08/2007 12:00:33 297568 byte 4 days old -- ssqrp.dll.vir
24/08/2007 12:01:29 1821700 byte 4 days old -- prqss.bak1
24/08/2007 12:01:42 70208 byte 4 days old -- mjpsypjr.dll
24/08/2007 15:12:43 (DIR) 0 byte 4 days old -- drivers
25/08/2007 12:02:02 1844479 byte 3 days old -- prqss.bak2
25/08/2007 12:02:12 1823968 byte 3 days old -- prqss.ini
27/08/2007 08:58:50 (DIR) 0 byte 1 days old -- tenarchlib
28/08/2007 11:10:20 (DIR) 0 byte 0 days old -- CatRoot2
28/08/2007 11:11:50 1158 byte 0 days old -- wpa.dbl
28/08/2007 11:13:44 4937 byte 0 days old -- jupdate-1.6.0_02-b06.log
12/07/2007 01:22:00 135168 byte 47 days old -- java.exe
12/07/2007 01:22:04 135168 byte 47 days old -- javaw.exe
12/07/2007 02:22:36 69632 byte 47 days old -- javacpl.cpl
12/07/2007 02:22:38 139264 byte 47 days old -- javaws.exe

----- recent files in C:\WINDOWS\system32\drivers\
24/08/2007 14:03:49 (DIR) 0 byte 4 days old -- etc

----- recent files in C:\WINDOWS\temp\
03/08/2007 08:10:29 16384 byte 25 days old -- Perflib_Perfdata_14c.dat
15/08/2007 14:06:58 596 byte 13 days old -- hpzcoi20.log
15/08/2007 14:07:01 596 byte 13 days old -- hpzcoi21.log
24/08/2007 10:55:32 16384 byte 4 days old -- Perflib_Perfdata_160.dat
25/08/2007 11:36:14 16384 byte 3 days old -- Perflib_Perfdata_1ac.dat
25/08/2007 12:01:31 16384 byte 3 days old -- Perflib_Perfdata_c14.dat
28/08/2007 11:11:13 255 byte 0 days old -- WGAErrLog.txt
28/08/2007 11:11:27 16384 byte 0 days old -- Perflib_Perfdata_9c.dat
28/08/2007 11:12:08 409 byte 0 days old -- WGANotify.settings

----- recent files in C:\Program Files\
13/07/2007 12:59:48 (DIR) 0 byte 46 days old -- Bonjour
13/07/2007 13:52:05 (DIR) 0 byte 46 days old -- uTorrent
13/07/2007 14:14:46 (DIR) 0 byte 46 days old -- PowerISO
13/07/2007 14:48:30 (DIR) 0 byte 46 days old -- Adobe
23/08/2007 16:20:45 (DIR) 0 byte 5 days old -- MSN
28/08/2007 08:36:56 (DIR) 0 byte 0 days old -- Internet Explorer
28/08/2007 09:31:52 (DIR) 0 byte 0 days old -- Trend Micro
28/08/2007 11:13:05 (DIR) 0 byte 0 days old -- Common Files
28/08/2007 11:13:44 (DIR) 0 byte 0 days old -- Java

----- recent files in C:\Program Files\Common Files\
13/07/2007 12:52:16 (DIR) 0 byte 46 days old -- Macrovision Shared
13/07/2007 14:41:19 (DIR) 0 byte 46 days old -- Adobe Systems Shared
13/07/2007 14:46:01 (DIR) 0 byte 46 days old -- Adobe
28/08/2007 11:12:56 (DIR) 0 byte 0 days old -- Symantec Shared
28/08/2007 11:13:05 (DIR) 0 byte 0 days old -- Java

----- recent files in C:\Documents and Settings\Owner\Application Data\
27/07/2007 15:14:29 (DIR) 0 byte 32 days old -- Opera
31/07/2007 09:24:15 (DIR) 0 byte 28 days old -- Adobe
27/08/2007 09:09:27 (DIR) 0 byte 1 days old -- Tenebril
27/08/2007 16:42:24 (DIR) 0 byte 1 days old -- uTorrent

----- recent files in C:\DOCUME~1\Owner\LOCALS~1\Temp\
01/08/2007 08:45:04 1430 byte 27 days old -- MAR235.tmp
01/08/2007 08:45:34 47122 byte 27 days old -- DIO494.tmp
01/08/2007 08:45:53 47122 byte 27 days old -- DIO498.tmp
01/08/2007 14:05:25 47122 byte 27 days old -- DIO4CC.tmp
02/08/2007 08:33:12 1430 byte 26 days old -- MAR236.tmp
02/08/2007 08:33:48 47122 byte 26 days old -- DIO496.tmp
02/08/2007 08:34:23 47122 byte 26 days old -- DIO49A.tmp
03/08/2007 08:10:55 2086185 byte 25 days old -- jar_cache28995.tmp
03/08/2007 08:11:14 16384 byte 25 days old -- ~DF2B66.tmp
03/08/2007 08:11:14 1430 byte 25 days old -- MAR237.tmp
03/08/2007 08:11:46 47122 byte 25 days old -- DIO499.tmp
03/08/2007 08:12:21 47122 byte 25 days old -- DIO49E.tmp
03/08/2007 09:03:49 77767 byte 25 days old -- FRONTPG.log
03/08/2007 15:59:49 (DIR) 0 byte 25 days old -- WER0d3f.dir00
03/08/2007 16:05:39 1430 byte 25 days old -- MAR238.tmp
03/08/2007 16:06:41 47122 byte 25 days old -- DIO49B.tmp
03/08/2007 16:07:29 47122 byte 25 days old -- DIO4C4.tmp
04/08/2007 11:40:08 1430 byte 24 days old -- MAR239.tmp
04/08/2007 11:40:36 47122 byte 24 days old -- DIO49C.tmp
04/08/2007 11:41:15 47122 byte 24 days old -- DIO49F.tmp
05/07/2007 09:02:32 1430 byte 54 days old -- MAR21F.tmp
05/07/2007 09:03:01 47122 byte 54 days old -- DIO463.tmp
05/07/2007 09:03:33 47122 byte 54 days old -- DIO46D.tmp
06/07/2007 08:35:38 1430 byte 53 days old -- MAR220.tmp
06/07/2007 08:36:19 47122 byte 53 days old -- DIO465.tmp
06/07/2007 08:36:40 47122 byte 53 days old -- DIO471.tmp
06/08/2007 09:35:54 1430 byte 22 days old -- MAR23A.tmp
06/08/2007 09:36:37 47122 byte 22 days old -- DIO49D.tmp
06/08/2007 09:37:20 47122 byte 22 days old -- DIO4A2.tmp
06/08/2007 15:02:18 (DIR) 0 byte 22 days old -- Adobelm_Cleanup.0001.dir.0001
06/08/2007 15:02:47 59964 byte 22 days old -- Adobelm_Cleanup.0001
06/08/2007 15:03:14 (DIR) 0 byte 22 days old -- Adobelm_Cleanup.0001.dir.0000
06/08/2007 15:03:14 (DIR) 0 byte 22 days old -- Adobelm_Cleanup.0001.dir.0002
06/08/2007 15:15:27 (DIR) 0 byte 22 days old -- DPE
06/08/2007 15:15:31 589128 byte 22 days old -- DPE.DUS
06/08/2007 15:36:12 47122 byte 22 days old -- DIO5C0.tmp
07/08/2007 08:25:08 1430 byte 21 days old -- MAR23B.tmp
07/08/2007 08:25:41 47122 byte 21 days old -- DIO4A0.tmp
07/08/2007 08:26:00 47122 byte 21 days old -- DIO4A3.tmp
07/08/2007 12:28:54 47122 byte 21 days old -- DIO4E3.tmp
13/07/2007 08:45:12 1430 byte 46 days old -- MAR226.tmp
13/07/2007 08:45:39 47122 byte 46 days old -- DIO473.tmp
13/07/2007 08:46:06 47122 byte 46 days old -- DIO475.tmp
13/07/2007 12:49:12 (DIR) 0 byte 46 days old -- _PASFX919
13/07/2007 12:50:11 74256 byte 46 days old -- {045CFB2B-65A3-49C9-BABC-E4452254C7AF}background.png
13/07/2007 12:50:11 41561 byte 46 days old -- {045CFB2B-65A3-49C9-BABC-E4452254C7AF}Titan.ico
13/07/2007 12:50:16 45630 byte 46 days old -- {BCD30B43-9083-4441-9284-E528A1285042}Setup.ico
13/07/2007 12:50:16 93314 byte 46 days old -- {E469E805-E012-4A29-A536-99AE33FE0C6D}estk_ribs_bgd.png
13/07/2007 12:50:16 42014 byte 46 days old -- {762E17C8-C547-4B10-B053-F329F39A0D80}bridge.ico
13/07/2007 12:50:16 20376 byte 46 days old -- {BCD30B43-9083-4441-9284-E528A1285042}background.png
13/07/2007 14:44:21 (DIR) 0 byte 46 days old -- {236BB7C4-4419-42FD-0409-1E257A25E34D}
13/07/2007 15:04:22 (DIR) 0 byte 46 days old -- CopyFileList
16/07/2007 08:43:31 1430 byte 43 days old -- MAR227.tmp
16/07/2007 08:44:01 47122 byte 43 days old -- DIO474.tmp
16/07/2007 08:44:51 47122 byte 43 days old -- DIO477.tmp
16/07/2007 09:23:24 47122 byte 43 days old -- DIO48D.tmp
16/07/2007 14:58:48 7709 byte 43 days old -- amt.log
16/07/2007 14:58:48 2867 byte 43 days old -- alm.log
17/07/2007 09:14:50 16384 byte 42 days old -- ~DF617F.tmp
17/07/2007 09:15:11 1430 byte 42 days old -- MAR228.tmp
17/07/2007 09:15:50 47122 byte 42 days old -- DIO476.tmp
17/07/2007 09:16:32 47122 byte 42 days old -- DIO480.tmp
17/07/2007 14:27:14 (DIR) 0 byte 42 days old -- Temporary Directory 53 for eism.zip
18/07/2007 08:49:39 16384 byte 41 days old -- ~DF5A4B.tmp
18/07/2007 08:49:56 1430 byte 41 days old -- MAR229.tmp
18/07/2007 08:50:27 47122 byte 41 days old -- DIO478.tmp
18/07/2007 08:51:12 47122 byte 41 days old -- DIO47C.tmp
19/07/2007 08:44:19 1430 byte 40 days old -- MAR22A.tmp
19/07/2007 08:44:52 47122 byte 40 days old -- DIO479.tmp
19/07/2007 08:45:26 47122 byte 40 days old -- DIO485.tmp
19/07/2007 10:47:51 47122 byte 40 days old -- DIO4B3.tmp
20/07/2007 16:20:13 1430 byte 39 days old -- MAR22B.tmp
20/07/2007 16:20:54 47122 byte 39 days old -- DIO47A.tmp
20/07/2007 16:21:11 47122 byte 39 days old -- DIO47F.tmp
23/07/2007 08:46:49 1430 byte 36 days old -- MAR22C.tmp
23/07/2007 08:47:20 47122 byte 36 days old -- DIO47D.tmp
23/07/2007 08:47:38 47122 byte 36 days old -- DIO482.tmp
23/07/2007 12:49:48 262448 byte 36 days old -- NT4HDA0B.emf
24/07/2007 09:00:20 1430 byte 35 days old -- MAR22D.tmp
24/07/2007 09:00:51 47122 byte 35 days old -- DIO481.tmp
24/07/2007 09:01:16 47122 byte 35 days old -- DIO484.tmp
25/07/2007 08:29:53 1430 byte 34 days old -- MAR22E.tmp
25/07/2007 08:30:20 47122 byte 34 days old -- DIO483.tmp
25/07/2007 08:31:10 47122 byte 34 days old -- DIO489.tmp
26/07/2007 08:55:47 1430 byte 33 days old -- MAR22F.tmp
26/07/2007 08:56:23 47122 byte 33 days old -- DIO486.tmp
26/07/2007 08:56:48 47122 byte 33 days old -- DIO48B.tmp
27/07/2007 08:51:05 1430 byte 32 days old -- MAR230.tmp
27/07/2007 08:51:50 47122 byte 32 days old -- DIO487.tmp
27/07/2007 08:52:35 47122 byte 32 days old -- DIO48C.tmp
27/07/2007 11:27:45 41576 byte 32 days old -- 4ba2_appcompat.txt
27/07/2007 11:29:59 1430 byte 32 days old -- MAR231.tmp
27/07/2007 11:30:32 47122 byte 32 days old -- DIO488.tmp
27/07/2007 11:30:41 47122 byte 32 days old -- DIO48E.tmp
27/07/2007 16:48:07 1430 byte 32 days old -- MAR232.tmp
27/07/2007 16:48:43 47122 byte 32 days old -- DIO48A.tmp
27/07/2007 16:49:07 47122 byte 32 days old -- DIO491.tmp
30/07/2007 08:15:29 1430 byte 29 days old -- MAR233.tmp
30/07/2007 08:16:04 47122 byte 29 days old -- DIO490.tmp
30/07/2007 08:16:34 47122 byte 29 days old -- DIO493.tmp
31/07/2007 08:28:39 1430 byte 28 days old -- MAR234.tmp
31/07/2007 08:29:37 47122 byte 28 days old -- DIO492.tmp
31/07/2007 08:30:38 47122 byte 28 days old -- DIO497.tmp
31/07/2007 12:15:44 32219 byte 28 days old -- mso33098.jpg
08/08/2007 08:40:45 1430 byte 20 days old -- MAR23C.tmp
08/08/2007 08:41:14 47122 byte 20 days old -- DIO4A1.tmp
08/08/2007 08:41:35 47122 byte 20 days old -- DIO4A5.tmp
08/08/2007 11:26:01 47122 byte 20 days old -- DIO4DD.tmp
13/08/2007 08:26:37 1430 byte 15 days old -- MAR23F.tmp
13/08/2007 08:27:10 47122 byte 15 days old -- DIO4A8.tmp
13/08/2007 08:27:33 47122 byte 15 days old -- DIO4AF.tmp
13/08/2007 15:44:51 47122 byte 15 days old -- DIO624.tmp
14/08/2007 09:23:19 1430 byte 14 days old -- MAR240.tmp
14/08/2007 09:24:20 47122 byte 14 days old -- DIO4AA.tmp
14/08/2007 09:25:10 47122 byte 14 days old -- DIO4B4.tmp
14/08/2007 09:47:13 47122 byte 14 days old -- DIO4D7.tmp
15/08/2007 08:36:47 1430 byte 13 days old -- MAR241.tmp
15/08/2007 08:37:19 47122 byte 13 days old -- DIO4AB.tmp
15/08/2007 08:37:45 47122 byte 13 days old -- DIO4AD.tmp
15/08/2007 08:50:43 47122 byte 13 days old -- DIO4CA.tmp
15/08/2007 15:03:40 1430 byte 13 days old -- MAR242.tmp
15/08/2007 15:04:24 47122 byte 13 days old -- DIO4AC.tmp
15/08/2007 15:04:39 47122 byte 13 days old -- DIO4B0.tmp
16/08/2007 08:46:48 1430 byte 12 days old -- MAR243.tmp
16/08/2007 08:47:24 47122 byte 12 days old -- DIO4AE.tmp
16/08/2007 08:47:51 47122 byte 12 days old -- DIO4B2.tmp
16/08/2007 10:04:30 47122 byte 12 days old -- DIO4C2.tmp
17/08/2007 08:35:57 16384 byte 11 days old -- ~DF5663.tmp
17/08/2007 08:36:04 1430 byte 11 days old -- MAR244.tmp
17/08/2007 08:36:46 47122 byte 11 days old -- DIO4B1.tmp
17/08/2007 08:37:10 47122 byte 11 days old -- DIO4BD.tmp
17/08/2007 15:28:29 47122 byte 11 days old -- DIO52B.tmp
20/08/2007 08:40:10 1430 byte 8 days old -- MAR245.tmp
20/08/2007 08:40:50 47122 byte 8 days old -- DIO4B5.tmp
20/08/2007 08:41:53 47122 byte 8 days old -- DIO4BE.tmp
21/08/2007 08:56:29 1430 byte 7 days old -- MAR246.tmp
21/08/2007 08:56:56 47122 byte 7 days old -- DIO4B6.tmp
21/08/2007 08:57:21 47122 byte 7 days old -- DIO4B9.tmp
21/08/2007 14:09:47 (DIR) 0 byte 7 days old -- msohtml1
22/08/2007 08:15:47 1430 byte 6 days old -- MAR247.tmp
22/08/2007 08:16:19 47122 byte 6 days old -- DIO4B7.tmp
22/08/2007 08:16:49 47122 byte 6 days old -- DIO4BF.tmp
22/08/2007 14:19:45 47122 byte 6 days old -- DIO549.tmp
23/08/2007 08:52:05 1430 byte 5 days old -- MAR248.tmp
23/08/2007 08:52:59 47122 byte 5 days old -- DIO4BB.tmp
23/08/2007 08:53:22 47122 byte 5 days old -- DIO4C6.tmp
23/08/2007 16:20:03 109586 byte 5 days old -- k11u72.exe
23/08/2007 16:33:04 1430 byte 5 days old -- MAR249.tmp
23/08/2007 16:33:55 47122 byte 5 days old -- DIO4C0.tmp
23/08/2007 16:34:22 47122 byte 5 days old -- DIO4C5.tmp
24/08/2007 08:45:45 1430 byte 4 days old -- MAR24A.tmp
24/08/2007 08:46:38 47122 byte 4 days old -- DIO4C1.tmp
24/08/2007 08:47:52 47122 byte 4 days old -- DIO4D3.tmp
24/08/2007 10:56:44 2086185 byte 4 days old -- jar_cache50353.tmp
24/08/2007 10:59:28 1430 byte 4 days old -- MAR24B.tmp
24/08/2007 11:00:02 16384 byte 4 days old -- ~DF82EA.tmp
24/08/2007 11:00:32 47122 byte 4 days old -- DIO4C7.tmp
24/08/2007 11:01:17 47122 byte 4 days old -- DIO4C9.tmp
24/08/2007 11:06:41 16384 byte 4 days old -- ~DF8C2C.tmp
24/08/2007 11:06:41 512 byte 4 days old -- ~DF8C4D.tmp
24/08/2007 11:06:51 512 byte 4 days old -- ~DFA4FC.tmp
24/08/2007 11:06:56 512 byte 4 days old -- ~DFBD50.tmp
24/08/2007 11:51:11 32768 byte 4 days old -- ~DF24A.tmp
24/08/2007 11:55:42 110 byte 4 days old -- newtb1handler.log
24/08/2007 11:55:42 222 byte 4 days old -- TB2OverwriteHandler.log
24/08/2007 11:57:34 1430 byte 4 days old -- MAR24C.tmp
24/08/2007 11:58:04 47122 byte 4 days old -- DIO4C8.tmp
24/08/2007 11:58:28 47122 byte 4 days old -- DIO4CD.tmp
24/08/2007 13:29:59 49458 byte 4 days old -- 6136_appcompat.txt
24/08/2007 13:33:38 1430 byte 4 days old -- MAR24D.tmp
24/08/2007 13:34:14 47122 byte 4 days old -- DIO4CB.tmp
24/08/2007 13:34:58 47122 byte 4 days old -- DIO4CF.tmp
24/08/2007 14:41:23 47122 byte 4 days old -- DIO4D9.tmp
24/08/2007 17:08:02 1430 byte 4 days old -- MAR24E.tmp
24/08/2007 17:08:38 47122 byte 4 days old -- DIO4CE.tmp
24/08/2007 17:09:10 47122 byte 4 days old -- DIO4D1.tmp
25/08/2007 11:37:47 1430 byte 3 days old -- MAR24F.tmp
25/08/2007 11:38:01 16384 byte 3 days old -- ~DF5FD9.tmp
25/08/2007 11:38:25 47122 byte 3 days old -- DIO4D0.tmp
25/08/2007 11:39:36 47122 byte 3 days old -- DIO4D4.tmp
25/08/2007 12:04:10 1430 byte 3 days old -- MAR250.tmp
25/08/2007 12:04:18 47122 byte 3 days old -- DIO4D2.tmp
25/08/2007 12:04:27 47122 byte 3 days old -- DIO4D6.tmp
27/08/2007 08:28:31 1430 byte 1 days old -- MAR251.tmp
27/08/2007 08:28:56 47122 byte 1 days old -- DIO4D5.tmp
27/08/2007 08:29:10 47122 byte 1 days old -- DIO4DA.tmp
27/08/2007 09:01:52 1430 byte 1 days old -- MAR1.tmp
27/08/2007 09:02:11 5400 byte 1 days old -- SB-CLSID-cache.dat
27/08/2007 09:03:00 47122 byte 1 days old -- DIO4D8.tmp
27/08/2007 09:03:19 47122 byte 1 days old -- DIO4E6.tmp
27/08/2007 09:11:35 47122 byte 1 days old -- DIO52C.tmp
27/08/2007 09:16:47 4 byte 1 days old -- Twain001.Mtx
27/08/2007 09:16:47 156 byte 1 days old -- Twunk001.MTX
27/08/2007 09:17:35 7962 byte 1 days old -- TWAIN.LOG
27/08/2007 09:18:29 (DIR) 0 byte 1 days old -- ~DEST
27/08/2007 11:03:21 824 byte 1 days old -- status-applink.html
27/08/2007 11:03:21 711 byte 1 days old -- custom-content.html
27/08/2007 11:03:22 2523 byte 1 days old -- status-content.html
27/08/2007 11:03:23 (DIR) 0 byte 1 days old -- icm-rgt
27/08/2007 11:03:23 (DIR) 0 byte 1 days old -- icm-upg
27/08/2007 16:44:35 1430 byte 1 days old -- MAR252.tmp
27/08/2007 16:44:55 47122 byte 1 days old -- DIO4DB.tmp
27/08/2007 16:44:59 47122 byte 1 days old -- DIO4DC.tmp
27/08/2007 16:45:02 47122 byte 1 days old -- DIO4DE.tmp
28/08/2007 08:31:13 1430 byte 0 days old -- MAR253.tmp
28/08/2007 08:31:29 47122 byte 0 days old -- DIO4DF.tmp
28/08/2007 08:31:54 47122 byte 0 days old -- DIO4E1.tmp
28/08/2007 11:08:22 (DIR) 0 byte 0 days old -- hsperfdata_Owner
28/08/2007 11:11:42 1430 byte 0 days old -- MAR254.tmp
28/08/2007 11:11:46 16384 byte 0 days old -- ~DFD050.tmp
28/08/2007 11:12:08 47122 byte 0 days old -- DIO4E0.tmp
28/08/2007 11:12:17 47122 byte 0 days old -- DIO4E4.tmp
28/08/2007 11:13:08 0 byte 0 days old -- java_install.log
28/08/2007 11:13:45 381 byte 0 days old -- java_install_reg.log
28/08/2007 11:13:49 196 byte 0 days old -- jusched.log
28/08/2007 11:24:17 16384 byte 0 days old -- ~DF942F.tmp
28/08/2007 11:24:44 (DIR) 0 byte 0 days old -- nsb506.tmp
09/07/2007 10:27:46 1430 byte 50 days old -- MAR221.tmp
09/07/2007 10:28:19 47122 byte 50 days old -- DIO466.tmp
09/07/2007 10:28:45 47122 byte 50 days old -- DIO472.tmp
09/07/2007 14:46:44 47122 byte 50 days old -- DIO4BA.tmp
09/08/2007 08:30:27 1430 byte 19 days old -- MAR23D.tmp
09/08/2007 08:31:01 47122 byte 19 days old -- DIO4A4.tmp
09/08/2007 08:31:27 47122 byte 19 days old -- DIO4A7.tmp
09/08/2007 14:50:38 47122 byte 19 days old -- DIO53F.tmp
10/07/2007 08:42:06 1430 byte 49 days old -- MAR222.tmp
10/07/2007 08:42:31 47122 byte 49 days old -- DIO467.tmp
10/07/2007 08:43:01 47122 byte 49 days old -- DIO46F.tmp
10/07/2007 12:34:25 47122 byte 49 days old -- DIO4BC.tmp
10/08/2007 08:29:27 1430 byte 18 days old -- MAR23E.tmp
10/08/2007 08:29:57 47122 byte 18 days old -- DIO4A6.tmp
10/08/2007 08:30:18 47122 byte 18 days old -- DIO4A9.tmp
10/08/2007 09:27:36 47122 byte 18 days old -- DIO4B8.tmp
11/07/2007 08:27:46 16384 byte 48 days old -- ~DFBE1F.tmp
11/07/2007 08:27:52 1430 byte 48 days old -- MAR223.tmp
11/07/2007 08:28:30 47122 byte 48 days old -- DIO468.tmp
11/07/2007 08:28:52 47122 byte 48 days old -- DIO46E.tmp
11/07/2007 10:29:33 (DIR) 0 byte 48 days old -- IXP000.TMP
11/07/2007 11:32:08 16384 byte 48 days old -- ~WRF1095.tmp
11/07/2007 14:07:08 12288 byte 48 days old -- ~WRS1931.tmp
11/07/2007 14:09:34 1430 byte 48 days old -- MAR224.tmp
11/07/2007 14:09:55 47122 byte 48 days old -- DIO46A.tmp
11/07/2007 14:10:10 47122 byte 48 days old -- DIO46C.tmp
12/07/2007 09:04:25 1430 byte 47 days old -- MAR225.tmp
12/07/2007 09:04:49 47122 byte 47 days old -- DIO46B.tmp
12/07/2007 09:05:25 47122 byte 47 days old -- DIO47B.tmp

===================== Hidden Objects =====================

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-28 11:25:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


===================== Checking Rustock rootkit =====================



==========================================
Scan completed in 4 minutes
End of report

This is my new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:06 AM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\system32\mjpsypjr.dll
O2 - BHO: (no name) - {47F3C7CA-93D7-4837-8333-AE15732BD97C} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8130 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 28 August 2007 - 03:27 PM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\fccawvu.dll.vir
C:\WINDOWS\system32\ifmjbaxx.dll
C:\WINDOWS\system32\ssqrp.dll.vir
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\mjpsypjr.dll
C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.ini


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 Coz80

Coz80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 29 August 2007 - 07:41 AM

Here is the OTMoveIt log:

C:\WINDOWS\system32\fccawvu.dll.vir moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ifmjbaxx.dll
C:\WINDOWS\system32\ifmjbaxx.dll NOT unregistered.
C:\WINDOWS\system32\ifmjbaxx.dll moved successfully.
C:\WINDOWS\system32\ssqrp.dll.vir moved successfully.
C:\WINDOWS\system32\prqss.bak1 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mjpsypjr.dll
C:\WINDOWS\system32\mjpsypjr.dll NOT unregistered.
C:\WINDOWS\system32\mjpsypjr.dll moved successfully.
C:\WINDOWS\system32\prqss.bak2 moved successfully.
C:\WINDOWS\system32\prqss.ini moved successfully.

Created on 08/29/2007 08:40:09

#6 Coz80

Coz80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 29 August 2007 - 01:38 PM

New HJT log after OTMoveIt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:57 PM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intuit\QuickBooks 2005\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\system32\mjpsypjr.dll (file missing)
O2 - BHO: (no name) - {47F3C7CA-93D7-4837-8333-AE15732BD97C} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8399 bytes

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 29 August 2007 - 03:36 PM

Find and delete:
OTMoveIt.exe
C:\_OTMoveIt

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#8 Coz80

Coz80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 30 August 2007 - 10:27 AM

I will mention that the pop ups ceased once I ran OTMoveIt. I will post new HJT log in next reply. Here is the combofix log:

ComboFix 07-08-30.3 - "Owner" 2007-08-30 11:14:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.223 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\winsub.xml


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-30 11:13 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 09:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-27 09:09 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Tenebril
2007-08-27 09:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-08-27 08:58 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-08-27 08:58 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-08-24 13:51 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-24 13:18 <DIR> d-------- C:\WINDOWS\pss
2007-08-23 16:20 <DIR> d-------- C:\WINDOWS\system32\dllz1
2007-07-27 15:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Opera
2007-07-13 14:41 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-13 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-07-13 14:14 <DIR> d-------- C:\Program Files\PowerISO
2007-07-13 13:52 <DIR> d-------- C:\Program Files\uTorrent
2007-07-13 13:52 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-13 13:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-13 12:59 <DIR> d-------- C:\Program Files\Bonjour
2007-07-13 12:52 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 11:12 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-30 08:43 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-24 13:16 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DIGStream
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47F3C7CA-93D7-4837-8333-AE15732BD97C}]
C:\WINDOWS\system32\awtsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 18:18]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 14:00 C:\WINDOWS\SoundMan.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-09 09:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cleaner]
lib.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

S3 pwalker;Process Walker Driver;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\nsb506.tmp\pwalker.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-04-09 12:54:15 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 11:19:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 11:21:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 11:21

--- E O F ---

#9 Coz80

Coz80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 30 August 2007 - 10:28 AM

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:50 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {47F3C7CA-93D7-4837-8333-AE15732BD97C} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8066 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 30 August 2007 - 11:15 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {47F3C7CA-93D7-4837-8333-AE15732BD97C} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Restart your pc.
Post a new Hijackthis log.
Let me know how your pc is running now please.
Posted Image
Posted Image

#11 Coz80

Coz80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 30 August 2007 - 12:49 PM

I fixed/deleted files as instructed. My computer no longer has pop ups where I would have already seen 8-10 just by going to my homepage. Thanks, dude. You're friggin' awesome. Is it okay to remove HJT, ComboFix, ATF Cleaner, and all the logs? BTW, my computer is running twice as good as it did before I got the virus. Do you recommend running any software other than the Norton's Internet Security I run now for added protection? Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:47 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7622 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 30 August 2007 - 04:04 PM

Is it okay to remove HJT, ComboFix, ATF Cleaner, and all the logs?

Yes by all means,also find and delete:
C:\Qoobox

Your log is clean :thumbsup:
If all's ok,please do the following.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Edited by RichieUK, 30 August 2007 - 04:04 PM.

Posted Image
Posted Image

#13 Coz80

Coz80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 31 August 2007 - 08:20 AM

Thanks RichieUK. You are the true Malware Assassin. Bop Bop Bop.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 31 August 2007 - 08:38 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users