Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Htempo Removal


  • Please log in to reply
4 replies to this topic

#1 Dadeo

Dadeo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 31 October 2007 - 10:44 AM

I was infected with htempo, popups of warnings of virus, trojans, worms etc. Scanned in Adaware, ewido, etc, yielded no infection. Pop up warnings remained. Downloaded ComboFix, latest Hijackthis, Spybot s&d, and ran cleaner. Could not load latest Highjackthis.exe so more reseaerch yielded VundoFix.exe. Applied it (seems pretty agressive but it got me clean). Up and running back on the net with minor issues but I need the Highjackthis and combofix logs read if you please. The odd thing is that on my linksys newort pane that indicates that I am connected to the net with a blue world, it shows I am not but I still can navigate on the web. Also tried to play a client video on a trusted site in windows media player and nothing played on a DSL set up.

Let me know your thoughts please. I am currently using Spybot s&d as the main interferrence and symantec as secondary. Thanks in advance.
Dadeo


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:40 AM, on 10/31/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Paul Liggitt\Desktop\Briefcase\Paul's\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4444] command /c del "C:\WINNT\system32\ldcore.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3334] cmd /c del "C:\WINNT\system32\ldcore.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5425] command /c del "C:\WINNT\system32\ldcore.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2156] cmd /c del "C:\WINNT\system32\ldcore.dll"
O4 - HKCU\..\Run: [Microsoft NetMeeting] "C:\Program Files\NetMeeting\conf.exe" -Background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1067] command /c del "C:\WINNT\system32\ldcore.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1886] cmd /c del "C:\WINNT\system32\ldcore.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8228] command /c del "C:\WINNT\system32\ldcore.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4787] cmd /c del "C:\WINNT\system32\ldcore.dll"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Wireless-G PCI Monitor.lnk = C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Paul Liggitt\Desktop\Briefcase\Paul's\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6738 bytes


ComboFix 07-10-30.5 - Paul Liggitt 10/30/2007 22:14:10.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.329 [GMT -5:00]
Running from: C:\Documents and Settings\Paul Liggitt\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Paul Liggitt\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Paul Liggitt\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Paul Liggitt\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Paul Liggitt\My Documents\FNTS~1
C:\Program Files\Common Files\hose4444.dll
C:\Program Files\Common Files\hose83122.dll
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\icroso~1
C:\Program Files\WindowsUpdate\lafute.dll
C:\Program Files\WindowsUpdate\lafute182.dll
C:\Program Files\WindowsUpdate\lafute184.dll
C:\Program Files\WindowsUpdate\lafute459.dll
C:\Program Files\WindowsUpdate\lafute913.dll
C:\temp\tn3
C:\UGA6P
C:\WINNT\b122.exe
C:\WINNT\cookies.ini
C:\WINNT\system32\andteiy.dll
C:\WINNT\system32\d3
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\f22
C:\WINNT\system32\f22\bc1224wv.exe
C:\WINNT\system32\fqpdiuvt.ini
C:\WINNT\system32\jrdpmwhp.exe
C:\WINNT\system32\ldcore.dll
C:\WINNT\system32\oTt08e
C:\WINNT\system32\oTt08e\oTt08e1099.exe
C:\WINNT\system32\p8
C:\WINNT\system32\p8\stallbb1.exe
C:\WINNT\system32\pac.txt
C:\WINNT\system32\rhjyamwv.dllbox
C:\WINNT\system32\s2
C:\WINNT\system32\s2\vawss83122.exe
C:\WINNT\system32\ttwvw.bak1
C:\WINNT\system32\ttwvw.bak2
C:\WINNT\system32\ttwvw.ini
C:\WINNT\system32\tvuidpqf.dll
C:\WINNT\system32\v1
C:\WINNT\system32\wvwtt.dll
C:\WINNT\system32\yexgnese.exe
C:\WINNT\tsitra1000106.exe
C:\WINNT\tsitra77.exe
C:\WINNT\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_RDRIV
-------\core
-------\rdriv


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-30 22:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_46c.dat
2007-10-30 22:12 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-30 21:54 <DIR> d-------- C:\VundoFix Backups
2007-10-30 08:15 340,032 --a------ C:\WINNT\system32\wjgcexgf.dll
2007-10-29 21:40 <DIR> d-------- C:\WINNT\pss
2007-10-29 08:15 589 --a------ C:\WINNT\system32\sqxkogsi.dll
2007-10-27 16:18 7,713 --a------ C:\WINNT\system32\ldcore.dll
2007-09-30 16:36 <DIR> d-------- C:\WINNT\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 00:10 --------- d-----w C:\Program Files\Firefox
2007-10-30 03:21 --------- d-----w C:\Program Files\Google
2007-10-30 03:05 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-30 02:58 --------- d-----w C:\Program Files\Creative
2007-10-29 15:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-08-19 21:55 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\system32\INETCOMM.DLL
2007-08-19 21:55 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
2007-08-19 21:55 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
2007-08-17 06:48 448,272 ----a-w C:\WINNT\system32\oieng400.dll
2007-08-17 06:48 39,184 ----a-w C:\WINNT\system32\jpeg2x32.dll
2007-08-17 06:48 33,552 ----a-w C:\WINNT\system32\tifflt.dll
2007-07-30 23:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-17 06:42 439,056 ----a-w C:\WINNT\system32\rpcrt4.dll
2004-01-18 19:59 11,244 ----a-w C:\Program Files\CUSLOG.TXT
2002-06-20 21:53 271 ---h--w C:\Program Files\desktop.ini
2002-06-20 21:53 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [05-07-15 16:48 ]
"Tweak UI"="TWEAKUI.CPL" [00-06-18 14:03 C:\WINNT\system32\TWEAKUI.CPL]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06-04-12 10:30 ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 14:59 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft NetMeeting"="C:\Program Files\NetMeeting\conf.exe" [03-06-19 14:05 ]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Paul Liggitt\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2004-04-12 14:25:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G PCI Monitor.lnk - C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe [2004-12-20 22:29:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\winnt\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\wvwtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Paul Liggitt^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Paul Liggitt\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINNT\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINNT\wt\updater\wcmdmgrl.exe -launch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
"C:\WINNT\winshow.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"C-DillaCdaC11BA"=2 (0x2)

R0 mpegport;mpegport;C:\WINNT\system32\DRIVERS\mpegport.sys
R2 rmdvd;RM DVD helper;C:\WINNT\system32\DRIVERS\rmdvd.sys
R3 3cpciadi;3Com Windows Modem Driver PCI ADI;C:\WINNT\system32\DRIVERS\3cpciadi.sys
R3 P0630VID;Creative WebCam Live!;C:\WINNT\system32\DRIVERS\P0630Vid.sys
R3 rmquasar;Hollywood Plus MiniDriver;C:\WINNT\system32\DRIVERS\rmquasar.sys
R3 voodoo3;voodoo3;C:\WINNT\system32\DRIVERS\voodoo3.sys
S3 3dfxvs;3dfxvs;C:\WINNT\system32\DRIVERS\3dfxvsm.sys
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINNT\system32\DRIVERS\ngrpci.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:54:46 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - Paul Liggitt.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 22:21:56
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 22:24:15 - machine was rebooted
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:17 PM

Posted 21 November 2007 - 01:00 PM

I apologize for the very long delay. We have been very busy and it has been taking us greater time than normal to get the logs caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

Thank you for your patience.

#3 Dadeo

Dadeo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 24 November 2007 - 10:36 AM

Yes I would still like a you to take a look at the Hijack this log. Things seem to be better but the odd thing is that my online linksys window indicates not online while I am indeed online plus Symantec is giving me a activation needed alert. I tried all of their fixes and nothing works. It seems that Spybot has flagged Symantec. What is a better antivius solution. In any case take a look at the latest Hjack this log and give me a recommendation. Thanks. Dadeo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:59 AM, on 11/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Paul Liggitt\Desktop\Briefcase\Paul's\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\FIREFOX\FIREFOX.EXE
C:\Program Files\Palm\Palm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [Microsoft NetMeeting] "C:\Program Files\NetMeeting\conf.exe" -Background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Wireless-G PCI Monitor.lnk = C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Paul Liggitt\Desktop\Briefcase\Paul's\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5920 bytes

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:17 PM

Posted 24 November 2007 - 02:56 PM

Spybot and Symantec Antivirus are two very different programs. Spybot focuses on spyware and adware and symantec mostly focuses on worms, trojans, etc. There is some overlap, but you really need to have both an antispyware and a antivirus program running at the same time. A very good free antivirus program, if you want to switch from Symantec, is Avast Free.

The log currently looks clean, but since combofix reported malware preivously I would like to run it again from a fresh version.


* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then,
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#5 Dadeo

Dadeo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 26 November 2007 - 11:02 AM

Dear Grinler,
I will follow up with the Combo fix stuff and the new hijack this log and post on Monday evening to get things straight, hopefully. Thanks for your help. I have also heard about Avast and will check into that. Will post soon.
Dadeo.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users