Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virus Troj_dloader.ewr Or Trojan.w32.looksky


  • This topic is locked This topic is locked
7 replies to this topic

#1 Marrick

Marrick

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 07 September 2007 - 08:30 PM

Started getting pop-up dialogs boxes indicating an Internet attack and virus, then pop-up ads for fixing the problem would appear. Several shortcuts also appeared on the desktop that were related to this attack. A white X in a red box sometimes appeared in the bottom status bar and sometimes flashed.

I used a Smitfraudfix application I found on the Internet and this removed the desktop shortcuts, the red box with the X, and the bothersome pop-ups. But the attack would appear the next day or even several hours later. I had to run the Smitfraudfix in safemode just to be able to function between attacks.

I ran through the entire preparation guide with the following results:

1. cleanmgr - this did not run properly. When the disk cleanup status box displayed, there were four squares in the progress bar and the message was "Scanning: Compres old files" but the computer wasn't doing anything. Could be an OS issue.

2. Adaware and Spybot scans - ran four scans for both. With each Adaware scan there were or 2 critical items (MRU List appeared each time; others were mostly tracking-type files). I gave up after 4 Ad-Adware cycles because it seemed that there would always be issues it would find. Ran SpyBot four times and each time there was something, but the one I thought was the virus, Smitfraud-CMSVPS, was removed after the first one.

3. Housecall - This ran for about an hour and could delete all issues (about 19) except the Trojan TROJ_DLOADER.EWR. As I was reading the detailed instructions about what to do next, I was prompted to re-run the scan. So I did, and NO issues were found, even though it could not delete TROJ_DLOADER.EWR after the first scan.

4. I did not then run the Trend Micro antivirus program as I thought the virus had been deleted.

5. I ran McAfee AVERT Stinger and it did not find any viruses.

6. I installed the Sygate Firewall. I used to have Zone Alarm but a local PC repair shop told me not to use it as the Windows built-in firewall was adequate (and that Zone Alarm presented other challenges).

7. Ran Windows Update and there were no updates to download.

8. Ran Hijack This and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:10 PM, on 9/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Seekmo\bin\10.0.341.0\OEAddOn.exe
C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TownCrier\TownCrier.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Seekmo /fleok=1D8A83A5C4EC177F9AAC6D2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINNT\nsduo.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O3 - Toolbar: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.341.0\OEAddOn.exe
O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ef334dd5.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\ef334dd5.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: TownCrier.lnk = C:\Program Files\TownCrier\TownCrier.exe
O8 - Extra context menu item: &Search - ?p=ZRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136588706455
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167656849074
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/move/06071909...2ie06071909.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: msmhost - {83614200-03BE-4191-A33B-755836BC7EE1} - C:\WINNT\msmhost.dll
O21 - SSODL: msmdev - {9604DD71-D240-436C-B171-58112A347CE2} - C:\WINNT\msmdev.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10726 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 08 September 2007 - 06:18 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Marrick :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programS if present,then restart your pc:
Seekmo
AWS


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Marrick

Marrick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 08 September 2007 - 01:50 PM

Richie,

Thanks for your reply. I ran Combofix but had to save it to my C drive; I received "unknown error occurred" when I tried to save it to the desktop (I've had this happen before when trying to save some executables there). I presume the reason for saving it is so the app has a place to write its log, not that it must be saved to the desktop. Saving it to C was allowed and I could then run the problem and create a log. Here is the Comboxfix log (the HijackThis log follows it):


ComboFix 07-09-08.8 - "Administrator" 09/08/2007 10:28:55.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.219 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\dat.txt
C:\WINNT\msmdev.dll
C:\WINNT\msmhost.dll
C:\WINNT\nsduo.dll
C:\WINNT\rs.txt


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-08 10:32 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_400.dat
2007-09-08 10:28 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-08 10:27 1,484,287 --a------ C:\ComboFix.exe
2007-09-07 21:03 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-09-07 21:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-07 20:47 83,096 --a------ C:\WINNT\system32\SSSensor.dll
2007-09-07 20:47 60,496 --a------ C:\WINNT\system32\drivers\Teefer.sys
2007-09-07 20:47 21,075 --a------ C:\WINNT\system32\drivers\wpsdrvnt.sys
2007-09-07 20:47 14,568 --a------ C:\WINNT\system32\drivers\wg6n.sys
2007-09-07 20:47 14,568 --a------ C:\WINNT\system32\drivers\wg5n.sys
2007-09-07 20:47 14,568 --a------ C:\WINNT\system32\drivers\wg4n.sys
2007-09-07 20:47 14,568 --a------ C:\WINNT\system32\drivers\wg3n.sys
2007-09-07 20:47 <DIR> d-------- C:\Program Files\Sygate
2007-09-07 19:54 1,893,383 --a------ C:\Program Files\stinger.exe
2007-09-07 12:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-09-06 06:41 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC28-KB927779-x86-ENU$
2007-09-04 09:11 5,556,616 --a------ C:\Program Files\MDAC_TYP.EXE
2007-09-04 09:08 1,486,720 --a------ C:\Program Files\GenuineCheck.exe
2007-09-04 09:07 0 --a------ C:\Program Files\WGAPluginInstall.exe
2007-09-04 08:05 <DIR> d-------- C:\Program Files\SmitfraudFix
2007-09-04 07:47 3,270 --a------ C:\WINNT\system32\tmp.reg
2007-09-04 07:46 893,544 --a------ C:\Program Files\SmitfraudFix.exe
2007-08-24 14:57 382,352 --a------ C:\Program Files\jre-6u2-windows-i586-p-iftw.exe
2007-08-24 14:52 643,808 --a------ C:\Program Files\iVocalize4Setup.exe
2007-08-24 14:52 <DIR> d-------- C:\Program Files\iVocalize Web Conference 4
2007-08-22 09:27 218,801 --a------ C:\Program Files\keywordi.exe
2007-08-22 09:27 <DIR> d-------- C:\Program Files\AnalogX
2007-08-09 12:18 <DIR> d-------- C:\Program Files\Skype
2007-08-09 12:18 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-08-09 12:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Skype
2007-08-09 12:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-08-09 12:15 23,990,568 --a------ C:\Program Files\SkypeSetup.exe
2007-08-09 11:53 <DIR> d-------- C:\Program Files\iTunes
2007-08-09 11:53 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
99-12-07 07:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-09-08 10:34 --------- d-------- C:\Program Files\TownCrier
07-09-08 10:33 --------- d-------- C:\Program Files\Plaxo
07-09-08 08:01 --------- d-------- C:\Program Files\Viewpoint
07-09-08 08:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
07-09-07 20:47 5659648 --a------ C:\Program Files\spf.msi
07-09-07 20:46 17 --a------ C:\Program Files\stinger.opt
07-09-02 10:12 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
07-08-27 17:39 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WeatherBug
07-08-18 17:02 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
07-07-30 19:19 271224 --a------ C:\WINNT\system32\mucltui.dll
07-07-30 19:19 207736 --a------ C:\WINNT\system32\muweb.dll
07-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
07-07-24 08:28 879832 --a------ C:\WINNT\system32\drivers\vetefile.sys
07-07-24 08:28 108360 --a------ C:\WINNT\system32\drivers\veteboot.sys
07-07-24 07:12 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Viewpoint
07-06-26 04:57 235280 --a------ C:\WINNT\system32\GDI32.DLL
07-06-01 05:59 6010424 --a------ C:\Program Files\Firefox Setup 2.0.0.4.exe
07-05-22 22:00 6221304 --a------ C:\Program Files\winamp535_full_emusic-7plus.exe
07-04-27 18:02 9187304 --a------ C:\Program Files\winamp534_full_bundle_emusic-7plus.exe
07-04-13 07:04 347208 --a------ C:\Program Files\minibuginstaller.exe
07-04-09 19:20 1657304 --a------ C:\Program Files\TownCrier.exe
07-03-17 08:32 11868792 --a------ C:\Program Files\winamp533_full_bundle_emusic-7plus.exe
07-03-11 07:49 2664176 --a------ C:\Program Files\PopularScreensaversSetup2.2.60.6.ZRfox000.exe
07-02-08 23:50 13951112 --a------ C:\Program Files\MPSetup.exe
07-01-28 22:57 16706160 --a------ C:\Program Files\AdbeRdr60_enu_full.exe
07-01-28 17:08 7050552 --a------ C:\Program Files\psa30se_en_us.exe
07-01-28 14:49 40798696 --a------ C:\Program Files\NAV071420.exe
07-01-08 22:09 36808256 --a------ C:\Program Files\iTunesSetup.exe
06-12-23 20:41 14800440 --a------ C:\Program Files\snagitup.exe
06-12-13 10:56 914744 --a------ C:\Program Files\PlaxoIETlbrInstallNT.exe
06-12-13 10:48 2962800 --a------ C:\Program Files\PlaxoInstallNT.exe
06-12-13 10:45 134442 --a------ C:\Program Files\plaxotbird.xpi
06-11-21 22:36 15477552 --a------ C:\Program Files\IE7-WindowsServer2003-x86-enu.exe
06-10-08 16:20 2379672 --a------ C:\Program Files\AiRoboForm.exe
06-09-15 06:32 11817800 --a------ C:\Program Files\GoogleEarth.exe
06-08-29 10:20 0 --a------ C:\Program Files\tools
06-08-29 10:20 0 --a------ C:\Program Files\t
06-08-29 10:20 0 --a------ C:\Program Files\sql
06-08-29 10:20 0 --a------ C:\Program Files\spamd
06-08-29 10:20 0 --a------ C:\Program Files\spamc
06-08-29 10:20 0 --a------ C:\Program Files\rules
06-08-29 10:20 0 --a------ C:\Program Files\replace
06-08-29 10:20 0 --a------ C:\Program Files\OSXStartup
06-08-29 10:20 0 --a------ C:\Program Files\masses
06-08-29 10:20 0 --a------ C:\Program Files\lib
06-08-29 10:20 0 --a------ C:\Program Files\ldap
06-08-29 10:20 0 --a------ C:\Program Files\contrib
06-08-29 10:20 0 --a------ C:\Program Files\build
06-08-29 10:18 61855 --a------ C:\Program Files\Changes
06-08-29 10:16 9906 --a------ C:\Program Files\20_uri_tests.cf
06-08-29 10:16 9308 --a------ C:\Program Files\25_body_tests_es.cf
06-08-29 10:16 9237 --a------ C:\Program Files\libspamc.h
06-08-29 10:16 85440 --a------ C:\Program Files\spamd.raw
06-08-29 10:16 8533 --a------ C:\Program Files\25_replace.cf
06-08-29 10:16 8332 --a------ C:\Program Files\20_advance_fee.cf
06-08-29 10:16 6968 --a------ C:\Program Files\20_body_tests.cf
06-08-29 10:16 6735 --a------ C:\Program Files\25_uribl.cf
06-08-29 10:16 6533 --a------ C:\Program Files\preprocessor
06-08-29 10:16 6095 --a------ C:\Program Files\utils.c
06-08-29 10:16 5670 --a------ C:\Program Files\10_misc.cf
06-08-29 10:16 5567 --a------ C:\Program Files\spamassassin.spec
06-08-29 10:16 5094 --a------ C:\Program Files\60_whitelist.cf
06-08-29 10:16 5008 --a------ C:\Program Files\20_porn.cf
06-08-29 10:16 4982 --a------ C:\Program Files\getopt.c
06-08-29 10:16 47576 --a------ C:\Program Files\30_text_de.cf
06-08-29 10:16 44600 --a------ C:\Program Files\libspamc.c
06-08-29 10:16 4233 --a------ C:\Program Files\configure.pl
06-08-29 10:16 41763 --a------ C:\Program Files\sa-learn.raw
06-08-29 10:16 41606 --a------ C:\Program Files\sa-update.raw
06-08-29 10:16 3794 --a------ C:\Program Files\utils.h
06-08-29 10:16 3778 --a------ C:\Program Files\qmail-spamc.c
06-08-29 10:16 3671 --a------ C:\Program Files\60_whitelist_spf.cf
06-08-29 10:16 35934 --a------ C:\Program Files\Makefile.PL
06-08-29 10:16 3537 --a------ C:\Program Files\20_meta_tests.cf
06-08-29 10:16 35074 --a------ C:\Program Files\30_text_fr.cf
06-08-29 10:16 34768 --a------ C:\Program Files\sa-stats.pl
06-08-29 10:16 3444 --a------ C:\Program Files\run-corpora
06-08-29 10:16 33991 --a------ C:\Program Files\50_scores.cf
06-08-29 10:16 33050 --a------ C:\Program Files\20_head_tests.cf
06-08-29 10:16 3064 --a------ C:\Program Files\25_spf.cf
06-08-29 10:16 2929 --a------ C:\Program Files\25_hashcash.cf
06-08-29 10:16 2558 --a------ C:\Program Files\60_whitelist_dkim.cf
06-08-29 10:16 2543 --a------ C:\Program Files\run-masses
06-08-29 10:16 2534 --a------ C:\Program Files\60_whitelist_dk.cf
06-08-29 10:16 2525 --a------ C:\Program Files\23_bayes.cf
06-08-29 10:16 24937 --a------ C:\Program Files\spamassassin.raw
06-08-29 10:16 2355 --a------ C:\Program Files\20_net_tests.cf
06-08-29 10:16 22432 --a------ C:\Program Files\spamc.c
06-08-29 10:16 2184 --a------ C:\Program Files\25_dkim.cf
06-08-29 10:16 2182 --a------ C:\Program Files\mboxsplit
06-08-29 10:16 2138 --a------ C:\Program Files\25_domainkeys.cf
06-08-29 10:16 2008 --a------ C:\Program Files\MANIFEST.SKIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [02-11-19 21:01 C:\WINNT\SOUNDMAN.EXE]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [00-07-10 15:00 ]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [00-07-10 15:00 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-01-07 01:06 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05-02-16 23:11 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 09:50 ]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [07-08-29 08:28 ]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [07-05-05 08:28 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [04-10-15 19:40 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [05-03-21 15:13 C:\WINNT\system32\CTFMON.EXE]
"DW4"="" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [04-11-11 20:50 ]
"ef334dd5.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\ef334dd5.exe" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [04-12-07 15:44 ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [06-11-16 12:42 ]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [06-04-07 15:02 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-10 15:00:00]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-11-30 11:52:24]
TownCrier.lnk - C:\Program Files\TownCrier\TownCrier.exe [2006-11-09 12:45:36]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R0 aic116x;aic116x;C:\WINNT\system32\DRIVERS\aic116x.sys
R0 cpqfcalm;cpqfcalm;C:\WINNT\system32\DRIVERS\cpqfcalm.sys
R0 cpqfws2e;cpqfws2e;C:\WINNT\system32\DRIVERS\cpqfws2e.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 fireport;fireport;C:\WINNT\system32\DRIVERS\fireport.sys
R0 flashpnt;flashpnt;C:\WINNT\system32\DRIVERS\flashpnt.sys
R0 ipsraidn;ipsraidn;C:\WINNT\system32\DRIVERS\ipsraidn.sys
R0 lp6nds35;lp6nds35;C:\WINNT\system32\DRIVERS\lp6nds35.sys
R0 ql2100;ql2100;C:\WINNT\system32\DRIVERS\ql2100.sys
R0 ultra66;ultra66;C:\WINNT\system32\DRIVERS\ultra66.sys
R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS
R2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 S3Inc;S3Inc;C:\WINNT\system32\DRIVERS\s3sav4m.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S0 Ncrc710;Ncrc710;C:\WINNT\system32\DRIVERS\ncrc710.sys
S3 admjoy;Aureal Game Port Enumerator;C:\WINNT\system32\DRIVERS\admjoy.sys
S3 InCDFat;Ahead InCDFat File System Driver;\??\C:\WINNT\system32\Drivers\InCDFat.sys
S3 mf;mf;C:\WINNT\system32\DRIVERS\mf.sys
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys
S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINNT\system32\drivers\adm8830.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-09-06 15:37:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 10:33:04
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-08 10:36:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-09-08 10:36
.
--- E O F ---

+++++++++++++++

Now the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:32 PM, on 9/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TownCrier\TownCrier.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O3 - Toolbar: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ef334dd5.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\ef334dd5.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: TownCrier.lnk = C:\Program Files\TownCrier\TownCrier.exe
O8 - Extra context menu item: &Search - ?p=ZRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136588706455
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167656849074
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/move/06071909...2ie06071909.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 9241 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 09 September 2007 - 04:59 AM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O4 - HKCU\..\Run: [ef334dd5.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\ef334dd5.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O8 - Extra context menu item: &Search - ?p=ZRfox000
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/move/06071909...2ie06071909.cab

Exit Hijackthis.

Find and delete if present:
C:\Program Files\Viewpoint
C:\Program Files\AWS
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
C:\DOCUME~1\ADMINI~1\APPLIC~1\Viewpoint
C:\Documents and Settings\Administrator\Local Settings\Application Data\ef334dd5.exe

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 Marrick

Marrick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 September 2007 - 09:33 AM

Have not had any problems since I ran the previous process in which the Viewpoint program was removed, and the PC is working fine today. But I ran through your instructions anyway. Here is SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/09/2007 at 10:02 AM

Application Version : 3.9.1008

Core Rules Database Version : 3302
Trace Rules Database Version: 1308

Scan type : Complete Scan
Total Scan Time : 00:36:11

Memory items scanned : 446
Memory threats detected : 0
Registry items scanned : 6322
Registry threats detected : 0
File items scanned : 31590
File threats detected : 55

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.licenseacquisition[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@74613876[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@try.screensavers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mb[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@vhost.oddcast[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@data1.perf.overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kanoodle[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.expedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@coolsavings[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@try.starware[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@qnsr[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads1.mediaops.com[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaops.com[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@recipe[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hotbar[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@nextag[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@searchadnetwork[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver.softwareonline[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bannerads.zwire[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.searchadnetwork[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@icc.intellisrv[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@netmediagroup[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.adnetwork.com[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@data4.perf.overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@windowsmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.licenseacquisition[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@data3.perf.overture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1068576137[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.clickmanage[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@banners[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@imp.partner2profit[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.wordtracker[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cts.metricsdirect[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@wordtracker[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@track.bestbuy[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.windowsmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1072322959[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@coregmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@secure.adprofile[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ecnext.advertserve[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickondetroit[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mb[1].txt

Here is Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:10 AM, on 9/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TownCrier\TownCrier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: TownCrier.lnk = C:\Program Files\TownCrier\TownCrier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136588706455
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167656849074
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8667 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 09 September 2007 - 10:50 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\Qoobox

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 Marrick

Marrick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 September 2007 - 11:29 AM

Richie,

Everything seems fine now. Thanks very much for your help!

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 09 September 2007 - 01:32 PM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users