Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlobb3, Zlob.bzm Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 Backwoods

Backwoods

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 16 December 2007 - 02:00 PM

Hiya,

I have Zlob infection. I have used Ad-Aware, Spybot S&D, Norton, nCleaner, Stinger, in an attempt to get it out. No luck.

I also ran Panda and Bitdefender. Panda said 14 infections and got rid of one of them. BitDefender said there were Zlob infections, and neither program could remove them.

I get redirect screens to a security system called "SWS AntiSpyware 2007," as well as credit and buy Xmas windows I downloaded SmitFraudFix and ran it in safe mode. ZoneAlarm shows a program called "egjzksa.exe" is trying to access the web, which I do not allow, and it is trying to get to 127.0.01 port 1086.

Would you like any logs from SmitFraudFix?

In addition, my arrow keys and Home and End keys are working funny, or not at all.

Here is the HijackThis log, from the current program. As you would imagine, any help is most gratefully acknowledged.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:05 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C070E6D-75E9-42AD-A427-C7BFA7000B7A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{61C3FD85-CAE9-43F3-9E95-B7052575CF54}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD692C18-7CDD-45CB-BBAC-F18EF749F0BE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6263 bytes

Edited by Backwoods, 16 December 2007 - 05:43 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 16 December 2007 - 06:39 PM

Hello Backwoods,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Backwoods

Backwoods
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 17 December 2007 - 08:35 AM

Hiya Teacup61,

Thanks for the help, much.

I got rid of a buncha things, such as Google Pack, Spyware Doctor, Quicktime, etc., then downloaded ComboFix, and after some trouble, it ran. Here is the ComboFix log, followed by the new HijackThis log:


ComboFix 07-12-16.4 - XP 2007-12-17 5:08:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.138 [GMT -8:00]
Running from: C:\Documents and Settings\XP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\Documents and Settings\XP\Local Settings\Application Data\eqjzksa.dat
C:\Documents and Settings\XP\Local Settings\Application Data\eqjzksa.exe
c:\Documents and Settings\XP\Local Settings\Application Data\eqjzksa_nav.dat
c:\Documents and Settings\XP\Local Settings\Application Data\eqjzksa_navps.dat

.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-16 17:13 . 2007-12-17 04:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-16 17:12 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-16 17:08 . 2007-12-16 17:55 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-12-16 17:07 . 2007-12-17 04:58 <DIR> d-------- C:\Program Files\Google
2007-12-16 12:30 . 2007-12-16 13:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-16 12:30 . 2007-12-16 12:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-16 10:09 . 2007-12-16 14:51 3,144 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-15 21:52 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-13 18:19 . 2007-12-13 18:26 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-12-11 19:09 . 2007-12-11 19:09 <DIR> d-------- C:\Documents and Settings\XP\Application Data\Apple Computer
2007-12-08 13:49 . 2007-12-08 13:50 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-08 13:49 . 2007-12-08 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-06 17:19 . 2007-12-06 17:19 <DIR> d-------- C:\Documents and Settings\XP\Application Data\nCleaner
2007-12-06 13:59 . 2007-12-06 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-24 12:37 . 2007-11-24 12:37 <DIR> d-------- C:\Program Files\PeaZip
2007-11-17 22:34 . 2007-12-16 09:18 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-11-17 20:44 . 2007-11-17 20:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-17 20:44 . 2007-11-17 20:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 19:13 . 2007-12-16 16:00 0 --a------ C:\WINDOWS\system32\w32apiw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 12:57 297,668 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 12:57 25,972,768 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-16 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-16 21:25 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-16 21:20 --------- d-----w C:\Program Files\Elantech
2007-12-16 21:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-16 21:18 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-12-16 05:56 --------- d-----w C:\Program Files\Java
2007-12-16 05:45 --------- d-----w C:\Program Files\DivX
2007-12-14 05:33 --------- d-----w C:\Program Files\Winamp
2007-12-11 01:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-05 15:22 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 15:22 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 15:22 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 15:22 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 15:22 --------- d-----w C:\Program Files\Symantec
2007-11-24 20:29 --------- d-----w C:\Program Files\Opera
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 03:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 03:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 03:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 03:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 03:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 03:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 03:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 03:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 03:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-17 03:24 --------- d-----w C:\Program Files\Real
2007-10-01 23:50 64,504 -c--a-w C:\WINDOWS\system32\kdxno.exe
2007-09-28 16:08 156,992 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-13 23:11]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 00:39 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-03-21 21:57]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-03-21 21:53]
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2005-01-28 19:14]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-01 20:36]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-05-25 14:38:42]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)

R3 Ktp;Elantech Touchpad;C:\WINDOWS\system32\DRIVERS\Ktp.sys
S3 DUBE100B;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\DUBE100B.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 03:12:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-11 04:52:47 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - XP.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 05:11:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 5:12:38
.
2007-12-12 06:39:16 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:38 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C070E6D-75E9-42AD-A427-C7BFA7000B7A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{61C3FD85-CAE9-43F3-9E95-B7052575CF54}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD692C18-7CDD-45CB-BBAC-F18EF749F0BE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6546 bytes


Wadda ya think?

By the way, is there any security program that can prevent such Trojans? They seem quite mean, and none of the programs that I have found seem to work, assuming I am using them properly. I am going to cruise these BC Forums, but your advice would be welcome.

Thanks again.............................Stephen

Edited by Backwoods, 17 December 2007 - 08:39 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 17 December 2007 - 02:27 PM

Hello Stephen,

You had a Navipromo infection. :blink:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

I'd like to run another program to be sure there isn't anything else hanging out, please, then we'll get to prevention, okay? :thumbsup:

Please print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
How's it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Backwoods

Backwoods
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 18 December 2007 - 01:57 PM

Hiya Tea,

The computer seems to be working fine at this point.

The exception is Firefox's "arrow" and "home" and "end" buttons, which are still strange, even after reinstalling the program gotten from Mozilla. It may be Firefox itself, in which case this is not the right spot to deal with it.

Anyway, I followed your instructions. Here is the AVG log, and then the HijackThis log.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:37:54 AM 12/18/2007

+ Scan result:



:mozilla.258:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.264:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.38:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.39:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.40:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.44:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.45:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.46:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.235:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Addynamix : No action taken.
:mozilla.26:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.86:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.87:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.88:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.89:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.91:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.65:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.144:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.102:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.23:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.100:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.92:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.93:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.94:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.95:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.96:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.97:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.217:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.273:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.175:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.257:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.128:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.28:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\XP\Cookies\xp@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\XP\Cookies\xp@ssl-hints.netflame[3].txt -> TrackingCookie.Netflame : No action taken.
:mozilla.241:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.116:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.117:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.118:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.119:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.120:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.121:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.125:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.126:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.110:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.111:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.112:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.161:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.162:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.163:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.29:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.30:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.31:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.32:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.33:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.34:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.35:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.104:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.105:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.106:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.107:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.108:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.113:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.114:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.115:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.122:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.123:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.124:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.129:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.103:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.200:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Weborama : No action taken.
:mozilla.254:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.218:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.219:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.220:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.221:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.222:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.225:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.226:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.227:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.228:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.229:C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\02uqu5td.default\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:47 AM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C070E6D-75E9-42AD-A427-C7BFA7000B7A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{61C3FD85-CAE9-43F3-9E95-B7052575CF54}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD692C18-7CDD-45CB-BBAC-F18EF749F0BE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6679 bytes



I look forward to your reaction.................................Stephen

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 20 December 2007 - 01:39 PM

Hello Stephen,

Looks good.....how is it running after a couple of days?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 12 January 2008 - 08:16 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users