Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups At Start Up


  • This topic is locked This topic is locked
11 replies to this topic

#1 Hexagram

Hexagram

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 02 September 2007 - 06:08 PM

Hello!

When i start windows xp spy sweeper blocks an attempt called AYB.NETBIOS-WAIT and another one
and i havent been able to remove it. I looked at forum topic http://www.bleepingcomputer.com/forums/lofiversion/index.php/t95295.html
but i was unable to locate the same hijackthis entries that were listed.
what do i do?

heres my logfile!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:39 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1184820009906
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPDTC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8821 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 07 September 2007 - 06:23 PM

Hello Hexagram,

I am SifuMike and I will be helping you. :thumbsup:

but i was unable to locate the same hijackthis entries that were listed.
what do i do?

It is never a good idea to copy anyother persons fixes, as each fix is unique to that computer.



NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply. Post all your replies directly into this topic, not as attachments,thanks.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service:
To open Services, click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties.
On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK
You can reenable it afterwards when everything is clean again.



*********************

Uninstall the following via Add/Remove Programs :

CiD Help
Download Plugin for Internet Explorer
Zone Media
Netpumper


In case, during the uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. Important!

* Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply . Post all your replies directly into this topic,not as attachments,thanks.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Hexagram

Hexagram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 11 September 2007 - 08:46 PM

Hi Mike!

thnx for the help! here is the Combofix log:

ComboFix 07-09-10.6 - "HP_Owner" 2007-09-11 19:36:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.550 [GMT -6:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hosts


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-05 12:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-31 21:33 <DIR> d-------- C:\Program Files\7-Zip
2007-08-31 19:24 <DIR> d-------- C:\Program Files\STOPzilla!
2007-08-31 18:23 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Bioshock
2007-08-31 18:21 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-08-31 18:21 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-08-31 18:09 <DIR> d-------- C:\Program Files\2K Games
2007-08-31 18:09 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\InstallShield
2007-08-28 11:21 <DIR> d-------- C:\Program Files\CCleaner
2007-08-28 11:08 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-08-28 11:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-28 11:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-28 11:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-28 11:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-28 11:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-08-28 10:46 <DIR> d-------- C:\DOCUME~1\HP_Owner\.SunDownloadManager
2007-08-28 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-27 19:21 <DIR> d-------- C:\Program Files\Ubisoft
2007-08-27 00:24 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-08-23 13:32 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-08-23 13:31 <DIR> d-------- C:\Program Files\SpywareDetector
2007-08-23 13:13 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 17:10 225,280 -ra------ C:\WINDOWS\system32\SZBase5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 19:31 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\WTablet
2007-09-11 19:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-09-05 12:49 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-31 19:28 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\bytemultinoun
2007-08-31 19:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tick Find Close Surf
2007-08-31 19:26 1024 --a------ C:\WINDOWS\system32\drivers\F4C7B164-2FE4-4212-A642-EF16EFDF1B5D.cxv
2007-08-31 18:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 23:51 --------- d-------- C:\Program Files\Corel
2007-08-18 17:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ball Shim Dupe Tick
2007-08-17 17:25 356352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-17 17:25 356352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-17 16:23 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-08-17 16:23 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-08-17 16:23 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-08-17 16:23 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-08-17 16:23 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-08-17 16:23 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-08-17 16:23 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-08-17 16:23 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-08-17 16:23 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-08-17 16:23 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-08-17 16:23 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-08-17 16:23 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-08-17 16:23 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-08-09 18:20 28928 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2007-08-07 13:30 372736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2007-08-07 13:30 294912 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2007-08-07 13:30 126976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2007-08-07 13:29 69632 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2007-08-07 13:29 23040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2007-08-07 13:29 184320 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2007-08-07 13:28 94208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2007-08-07 13:28 90112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2007-08-07 13:28 688128 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2007-08-02 00:15 --------- d-------- C:\Program Files\bytemultinoun
2007-07-31 00:41 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ubisoft
2007-07-31 00:40 1 --a------ C:\DOCUME~1\HP_Owner\SI.bin
2007-07-30 23:49 164 --a------ C:\install.dat
2007-07-30 23:43 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-07-30 18:49 --------- d-------- C:\Program Files\LimeWire
2007-07-30 18:30 --------- d-------- C:\Program Files\LimeWire Download Accelerator
2007-07-30 18:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-07-30 18:20 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\LimeWire
2007-07-19 22:54 1521464 --a------ C:\WINDOWS\WRSetup.dll
2007-07-19 22:42 23864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-19 22:42 21816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-19 22:42 20280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-07-19 22:42 163128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-07-18 22:33 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Motive
2007-07-17 12:54 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-17 12:54 --------- d-------- C:\Program Files\Doom 3
2007-07-14 10:36 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Symantec
2007-07-13 18:32 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 15:03]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-09 00:18]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 19:58 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-08-17 16:23 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Steam"="c:\progra~1\valve\steam\steam.exe" [2007-07-14 10:27]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-04 23:12:51]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

C:\DOCUME~1\HP_Owner\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-04 23:12:51]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
R2 Dynex DX-WGPDTC WLService;Dynex Wireless G Enhanced Adapter Service;C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 01:00:00 C:\WINDOWS\Tasks\AA1E15F691858DC6.job"
- c:\docume~1\hp_owner\applic~1\bytemu~1\third build bolt.exe
"2007-09-03 01:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-04-05 03:25:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 19:38:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 19:38:53
C:\ComboFix-quarantined-files.txt ... 2007-09-11 19:38
C:\ComboFix2.txt ... 2007-08-23 13:19
.
--- E O F ---

and here is a fresh Hijack this Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:50 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\progra~1\valve\steam\steam.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1184820009906
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPDTC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9102 bytes

when i looked in add/remove programs i could only find CiD Help and removed it.

#4 Hexagram

Hexagram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 11 September 2007 - 08:55 PM

and here is the dejjob txt. thnx again for all the help!

--------------------------------------------------------
File(s) moved to C:\deljob

AA1E15F691858DC6.job
--------------------------------------------------------
Files remaining after cleaning

AppleSoftwareUpdate.job
Symantec NetDetect.job
--------------------------------------------------------
App data folders

Volume in drive C is HP_PAVILION
Volume Serial Number is C413-1EED

Directory of C:\Documents and Settings\HP_Owner\Application Data

08/31/2007 06:23 PM <DIR> .
08/31/2007 06:23 PM <DIR> ..
08/30/2007 12:09 AM <DIR> Adobe
06/01/2007 05:11 PM <DIR> AdobeUM
08/07/2004 03:20 PM <DIR> APPLEC~1 Apple Computer
09/11/2007 03:13 PM <DIR> Bioshock
04/12/2007 09:18 PM <DIR> BITTOR~1 BitTorrent
08/31/2007 07:28 PM <DIR> BYTEMU~1 bytemultinoun
04/08/2007 12:43 PM <DIR> Corel
04/12/2007 08:54 PM <DIR> DNA
06/09/2007 10:49 PM <DIR> Galcon
08/07/2004 01:03 PM <DIR> IDENTI~1 Identities
08/31/2007 06:09 PM <DIR> INSTAL~1 InstallShield
04/07/2007 07:33 PM <DIR> INTERV~1 InterVideo
07/30/2007 06:20 PM <DIR> LimeWire
04/04/2007 09:06 PM <DIR> MACROM~1 Macromedia
06/04/2007 05:13 PM <DIR> MICROS~1 Microsoft
07/18/2007 10:33 PM <DIR> Motive
04/12/2007 05:57 PM <DIR> Real
08/07/2004 03:59 PM <DIR> SAMPLE~1 SampleView
06/02/2007 11:33 AM <DIR> SecuROM
08/07/2004 01:37 PM <DIR> Sun
08/08/2004 08:56 AM <DIR> Symantec
05/06/2007 05:14 PM <DIR> Turbine
04/30/2007 11:27 PM <DIR> Webroot
09/11/2007 07:51 PM <DIR> WTablet
0 File(s) 0 bytes
26 Dir(s) 187,843,997,696 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is C413-1EED

Directory of C:\Documents and Settings\All Users\Application Data

09/05/2007 12:47 PM <DIR> .
09/05/2007 12:47 PM <DIR> ..
08/27/2007 12:22 AM <DIR> Adobe
04/14/2007 01:41 PM <DIR> APPLEC~1 Apple Computer
08/18/2007 05:14 PM <DIR> BALLSH~1 Ball Shim Dupe Tick
08/07/2004 02:39 PM <DIR> HEWLET~1 Hewlett-Packard
08/31/2007 06:21 PM <DIR> MICROS~1 Microsoft
08/07/2004 03:37 PM <DIR> Motive
06/02/2007 11:31 AM <DIR> NVIDIA
04/08/2007 12:15 PM <DIR> QUICKT~1 QuickTime
08/07/2004 01:09 PM <DIR> SBSI
09/05/2007 01:00 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
09/11/2007 07:50 PM <DIR> STOPZI~1 STOPzilla!
05/01/2007 01:15 AM <DIR> Symantec
08/31/2007 07:27 PM <DIR> TICKFI~1 Tick Find Close Surf
07/31/2007 12:41 AM <DIR> Ubisoft
04/30/2007 11:29 PM <DIR> Webroot
04/04/2007 08:39 PM <DIR> WINDOW~1 Windows Genuine Advantage
07/30/2007 06:30 PM <DIR> WinZip
04/30/2007 11:02 PM <DIR> ZILLAbar
0 File(s) 0 bytes
20 Dir(s) 187,843,997,696 bytes free
--------------------------------------------------------

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 11 September 2007 - 10:29 PM

Hi Hexagram,

Are you still getting AYB.NETBIOS-WAIT from spy sweeper?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Hexagram

Hexagram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 September 2007 - 01:03 AM

Hey Mike!

No, we seem to have got it, Thnx very much! I downloaded a program called StopZilla that says it has found other infections, but it wont delete them. I couldnt find them using HijackThis so i'm not sure what to do....

Thnx again!

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 14 September 2007 - 09:44 AM

Hi Hexagram,

Can you post the Stopzilla Event log? I need to see what it is finding.

To open the Event Log:

From the navigation bar, select Scan for Spyware.

In the Scan window, click the Event Log tab. The system will display the Event Log

Edited by SifuMike, 14 September 2007 - 09:52 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Hexagram

Hexagram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 15 September 2007 - 12:05 PM

Hey Mike,

Here is my StopZilla log.

Information Internet Explorer 2007-09-15 10:56:07 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-15 10:56:07 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-15 10:56:07 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-15 10:56:06 Starting process watcher
Information Internet Explorer 2007-09-15 10:16:23 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-15 10:16:23 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-15 10:16:23 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-15 10:16:22 Starting process watcher
Information General 2007-09-14 23:54:49 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-14 23:52:59 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-14 23:52:59 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-14 23:52:59 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-14 23:52:57 Starting process watcher
Information Internet Explorer 2007-09-14 10:20:10 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-14 10:20:10 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-14 10:20:10 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-14 10:20:10 Starting process watcher
Information General 2007-09-13 23:54:35 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-13 23:52:42 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-13 23:52:42 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-13 23:52:42 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-13 23:52:41 Starting process watcher
Information Internet Explorer 2007-09-13 09:29:41 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-13 09:29:41 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-13 09:29:41 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-13 09:29:40 Starting process watcher
Information General 2007-09-12 17:30:19 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-12 17:28:22 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-12 17:28:22 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-12 17:28:22 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-12 17:28:21 Starting process watcher
Information Internet Explorer 2007-09-11 21:53:57 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-11 21:53:57 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-11 21:53:57 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-11 21:53:56 Starting process watcher
Information Internet Explorer 2007-09-11 19:50:07 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-11 19:50:07 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-11 19:50:07 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-11 19:50:07 Starting process watcher
Information Internet Explorer 2007-09-11 19:29:54 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-11 19:29:54 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-11 19:29:54 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-11 19:29:54 Starting process watcher
Information General 2007-09-11 18:00:57 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-11 11:59:31 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-11 11:59:31 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-11 11:59:31 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-11 11:59:30 Starting process watcher
Information General 2007-09-11 00:15:33 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-11 00:13:41 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-11 00:13:41 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-11 00:13:41 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-11 00:13:41 Starting process watcher
Information Internet Explorer 2007-09-10 09:22:44 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-10 09:22:44 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-10 09:22:44 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-10 09:22:42 Starting process watcher
Information Internet Explorer 2007-09-09 20:08:21 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-09 20:08:21 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-09 20:08:21 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-09 20:08:17 Starting process watcher
Information Internet Explorer 2007-09-09 17:59:59 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-09 17:59:59 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-09 17:59:59 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-09 17:59:59 Starting process watcher
Information Internet Explorer 2007-09-09 00:02:42 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-09 00:02:42 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-09 00:02:42 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-09 00:02:42 Starting process watcher
Information Internet Explorer 2007-09-08 12:47:33 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-08 12:47:33 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-08 12:47:33 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-08 12:47:33 Starting process watcher
Information Internet Explorer 2007-09-08 11:02:38 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-08 11:02:38 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-08 11:02:38 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-08 11:02:37 Starting process watcher
Information General 2007-09-08 00:05:43 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-08 00:02:54 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-08 00:02:54 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-08 00:02:54 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-08 00:02:53 Starting process watcher
Information General 2007-09-07 09:55:36 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-07 09:52:45 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-07 09:52:45 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-07 09:52:45 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-07 09:52:45 Starting process watcher
Information Internet Explorer 2007-09-06 13:30:46 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-06 13:30:46 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-06 13:30:46 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-06 13:30:46 Starting process watcher
Information Internet Explorer 2007-09-06 10:39:35 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-06 10:39:35 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-06 10:39:35 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-06 10:39:35 Starting process watcher
Information General 2007-09-06 00:01:38 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-05 23:59:42 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-05 23:59:42 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-05 23:59:42 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-05 23:59:42 Starting process watcher
Information Internet Explorer 2007-09-05 13:23:45 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-05 13:23:45 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-05 13:23:45 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-05 13:23:44 Starting process watcher
Information General 2007-09-05 10:23:38 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-05 10:21:42 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-05 10:21:42 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-05 10:21:42 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-05 10:21:42 Starting process watcher
Information Internet Explorer 2007-09-04 23:04:03 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-04 23:04:03 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-04 23:04:03 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-04 23:04:02 Starting process watcher
Information General 2007-09-04 21:21:49 Request to update definitions completed successfully.
Information Internet Explorer 2007-09-04 21:19:51 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-04 21:19:51 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-04 21:19:51 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-04 21:19:50 Starting process watcher
Information Internet Explorer 2007-09-04 09:10:51 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-04 09:10:51 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-04 09:10:51 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-04 09:10:51 Starting process watcher
Information Internet Explorer 2007-09-04 00:01:14 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-04 00:01:14 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-04 00:01:14 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-04 00:01:14 Starting process watcher
Information Internet Explorer 2007-09-03 15:02:17 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-03 15:02:17 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-03 15:02:17 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-03 15:02:16 Starting process watcher
Information Internet Explorer 2007-09-03 09:49:18 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-03 09:49:18 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-03 09:49:18 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-03 09:49:17 Starting process watcher
Information Internet Explorer 2007-09-02 16:01:14 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-02 16:01:14 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-02 16:01:14 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-02 16:01:12 Starting process watcher
Information Internet Explorer 2007-09-01 10:36:19 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-01 10:36:19 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-01 10:36:19 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-01 10:36:17 Starting process watcher
Information Internet Explorer 2007-09-01 09:30:26 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-09-01 09:30:26 Inspecting registered Explorer bars
Information Registry enforcer 2007-09-01 09:30:26 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-09-01 09:30:25 Starting process watcher
Information Internet Explorer 2007-08-31 20:33:51 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-08-31 20:33:51 Inspecting registered Explorer bars
Information Registry enforcer 2007-08-31 20:33:51 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-08-31 20:33:50 Starting process watcher
Information Internet Explorer 2007-08-31 20:24:05 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-08-31 20:24:05 Inspecting registered Explorer bars
Information Registry enforcer 2007-08-31 20:24:05 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-08-31 20:24:04 Starting process watcher
Information General 2007-08-31 20:02:59 Completed system scan.
Information General 2007-08-31 19:29:06 Started system scan.
Information Internet Explorer 2007-08-31 19:28:55 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-08-31 19:28:55 Inspecting registered Explorer bars
Information Registry enforcer 2007-08-31 19:28:55 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-08-31 19:28:55 Starting process watcher
Block/Extraction NT Service enforcer 2007-08-31 19:27:34 Disabled service: messenger -
Block/Extraction NT Service enforcer 2007-08-31 19:27:33 Disabled service: messenger -
Information Registry enforcer 2007-08-31 19:26:51 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2007-08-31 19:26:51 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2007-08-31 19:26:51 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction Registry enforcer 2007-08-31 19:26:51 Suppressing application from run key ("C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf\Wave Joy.exe")
Block/Extraction File enforcer 2007-08-31 19:26:51 Quarantined file: c:\documents and settings\all users\application data\tick find close surf\wave joy.exe
Information Registry enforcer 2007-08-31 19:26:51 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2007-08-31 19:26:51 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Home page protection 2007-08-31 19:26:51 Checking homepage... OK
Block/Extraction Registry enforcer 2007-08-31 19:26:51 Suppressing application from run key ("C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf\Wave Joy.exe")
Information General 2007-08-31 19:26:36 Request to update definitions completed successfully.
Information Internet Explorer 2007-08-31 19:25:15 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2007-08-31 19:25:15 Inspecting registered Explorer bars
Information Registry enforcer 2007-08-31 19:25:15 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-08-31 19:25:15 Starting process watcher
Information Registry enforcer 2007-04-30 23:00:15 Inspecting WinLogon Notification Handlers and Modules loaded by WinLogon
Information Home page protection 2007-04-30 22:58:25 Checking Homepage... OK
Information Internet Explorer 2007-04-30 22:58:21 Inspecting registered Internet Explorer Toolbars
Information Registry enforcer 2007-04-30 22:58:21 Inspecting registered Explorer Bars
Information Hosts file 2007-04-30 22:58:20 Locking 'hosts' file
Block/Extraction Hosts file 2007-04-30 22:58:19 Deleted 'hosts' file entry: 127.0.0.1 localhost #***Inserted By STOPzilla***
Information Registry enforcer 2007-04-30 22:58:19 Inspecting WinLogon Notification Handlers and Modules loaded by WinLogon
Information Registry enforcer 2007-04-30 22:58:18 Inspecting WinSock Registry (LSP Chain)
Information Registry enforcer 2007-04-30 22:58:18 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2007-04-30 22:58:17 Starting process watcher
Information Hosts file 2007-04-30 22:58:17 Inspecting 'hosts' file
Block/Extraction NT Service enforcer 2007-04-30 22:57:11 Disabled Service: messenger -
Information Registry enforcer 2007-04-30 22:57:09 Inspecting WinLogon Notification Handlers and Modules loaded by WinLogon
Information Registry enforcer 2007-04-30 22:57:03 Inspecting WinLogon Notification Handlers and Modules loaded by WinLogon
Information Hosts file 2007-04-30 22:56:34 Locking 'hosts' file
Block/Extraction Registry enforcer 2007-04-30 22:56:33 Deleted Registry Value system in hklm\software\microsoft\windows nt\currentversion\winlogon
Information Internet Explorer 2007-04-30 22:56:29 Inspecting registered Internet Explorer Toolbars
Information Registry enforcer 2007-04-30 22:56:29 Inspecting registered Explorer Bars
Information Registry enforcer 2007-04-30 22:56:29 Inspecting WinSock Registry (LSP Chain)
Information Registry enforcer 2007-04-30 22:56:29 Inspecting WinLogon Notification Handlers and Modules loaded by WinLogon
Information Registry enforcer 2007-04-30 22:56:29 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction NT Service enforcer 2007-04-30 22:56:29 Disabled Service: messenger -
Information Process enforcer 2007-04-30 22:56:28 Starting process watcher
Block/Extraction Hosts file 2007-04-30 22:56:28 Deleted 'hosts' file entry: 127.0.0.1 localhost
Information Hosts file 2007-04-30 22:56:28 Inspecting 'hosts' file

I believe this is right. Let me know if you need anything else.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 15 September 2007 - 12:45 PM

Hi Hexagram,


Your StopZilla log is not showing any AYB.NETBIOS-WAIT intrusion.

Are you still seeing it?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Hexagram

Hexagram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 16 September 2007 - 01:29 AM

Nope! Thnk you for all your help!

:thumbsup:

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 16 September 2007 - 12:19 PM

Hi Hexagram,

Your welcome. :thumbsup: Hope your computer continues to run smootly.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 20 September 2007 - 04:23 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users