Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 blad

blad

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 09 February 2008 - 04:41 PM

I have been having problems with popups and a lagging internet lately. Some of the popups ive been getting are for www.admedia365.com, uk.celldorado.com, ad.doubleclick.net, and hornymatches.com. I have also been having warning windows from Microsoft C++ Runtime Library about a Buffer overrun detected for c:\WINDOWS\Explorer.EXE (but i dont know if this is a separate problem or not!)

Spybot found the virtumonde files but didnt delete them all. I then downloaded vundofix and virtumundobegone but they couldnt delete it. I then performed an online scan with Bit Defender and here is the log. You will see the last 2 files that couldn't be deleted, so my popup problem still persists:




Statistics

Time
01:41:59

Files
242631

Folders
12092

Boot Sectors
2

Archives
8052

Packed Files
15244




Results

Identified Viruses
13

Infected Files
54

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
52


C:\WINDOWS\system32\gebcy.dll
Infected with: Trojan.Vundo.Gen.2

C:\WINDOWS\system32\gebcy.dll
Disinfection failed

C:\WINDOWS\system32\gebcy.dll
Delete failed

C:\WINDOWS\system32\vtuvuvt.dll
Infected with: Trojan.Vundo.DWR

C:\WINDOWS\system32\vtuvuvt.dll
Disinfection failed

C:\WINDOWS\system32\vtuvuvt.dll
Delete failed


And here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:05, on 09/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8846 bytes

Edited by blad, 09 February 2008 - 04:43 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 15 February 2008 - 04:51 PM

Hello blad,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 blad

blad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 February 2008 - 08:35 AM

sure here it is. thanks :thumbsup:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34:31, on 16/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8795 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 16 February 2008 - 01:10 PM

Hello,

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 blad

blad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 February 2008 - 04:20 PM

here is the combofix log:

ComboFix 08-02-17.2 - Ghouri 2008-02-16 20:37:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.619 [GMT 0:00]
Running from: C:\Documents and Settings\Ghouri\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\anyhueem.dll
C:\WINDOWS\system32\billhqjb.dll
C:\WINDOWS\system32\ctlijjxi.dll
C:\WINDOWS\system32\dtcuttrd.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\kslibace.dll
C:\WINDOWS\system32\kydaqwbu.dll
C:\WINDOWS\system32\meeuhyna.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\ojmounds.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\rqryiwxy.dll
C:\WINDOWS\system32\sdnuomjo.dll
C:\WINDOWS\system32\ubwqadyk.ini
C:\WINDOWS\system32\vtuvuvt.dll
C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-09 17:57 . 2008-02-09 19:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-09 02:22 . 2008-02-09 19:28 <DIR> d-------- C:\VundoFix Backups
2008-02-08 23:10 . 2008-02-08 23:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 22:30 . 2008-02-09 02:21 147 --a------ C:\WINDOWS\wininit.ini
2008-02-08 20:46 . 2008-02-08 20:35 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 20:46 . 2008-02-08 20:46 3,461 --a------ C:\WINDOWS\unins000.dat
2008-02-02 17:46 . 2008-02-08 21:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-01 21:47 . 2008-02-01 21:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 21:47 . 2008-02-01 21:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-27 18:55 . 2008-01-27 18:55 <DIR> d-------- C:\Documents and Settings\Ghouri\Application Data\Syntrillium
2008-01-27 18:44 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-01-27 18:44 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-01-27 18:44 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-01-27 18:44 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-01-27 18:44 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-01-27 18:44 . 2008-01-27 18:44 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-01-27 18:39 . 2008-01-27 18:39 <DIR> d-------- C:\Documents and Settings\Naz.GHOURI-EB3A537C\Application Data\Syntrillium
2008-01-27 18:32 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-27 18:32 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-27 16:11 . 2008-01-27 16:11 <DIR> d-------- C:\Program Files\XviD
2008-01-27 12:59 . 2008-01-27 12:59 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-01-27 12:48 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-01-24 21:56 . 2008-01-24 21:56 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2008-01-23 01:09 . 2008-01-23 01:09 <DIR> d-------- C:\Documents and Settings\Mum.GHOURI-EB3A537C\Contacts
2008-01-21 22:14 . 2008-01-21 22:14 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-21 21:35 . 2008-01-21 21:35 <DIR> d-------- C:\Documents and Settings\Mum.GHOURI-EB3A537C\Application Data\Syntrillium
2008-01-21 19:38 . 2008-01-21 19:38 244 --ah----- C:\sqmnoopt10.sqm
2008-01-21 19:38 . 2008-01-21 19:38 244 --ah----- C:\sqmnoopt09.sqm
2008-01-21 19:38 . 2008-01-21 19:38 244 --ah----- C:\sqmnoopt08.sqm
2008-01-21 19:38 . 2008-01-21 19:38 232 --ah----- C:\sqmdata10.sqm
2008-01-21 19:38 . 2008-01-21 19:38 232 --ah----- C:\sqmdata09.sqm
2008-01-21 19:38 . 2008-01-21 19:38 232 --ah----- C:\sqmdata08.sqm
2008-01-21 19:37 . 2008-01-21 19:37 244 --ah----- C:\sqmnoopt07.sqm
2008-01-21 19:37 . 2008-01-21 19:37 244 --ah----- C:\sqmnoopt06.sqm
2008-01-21 19:37 . 2008-01-21 19:37 232 --ah----- C:\sqmdata07.sqm
2008-01-21 19:37 . 2008-01-21 19:37 232 --ah----- C:\sqmdata06.sqm
2008-01-21 14:21 . 2008-01-29 16:23 288 --a------ C:\WINDOWS\hpqcopy.INI
2008-01-20 23:20 . 2008-01-20 23:20 268 --ah----- C:\sqmdata05.sqm
2008-01-20 23:20 . 2008-01-20 23:20 244 --ah----- C:\sqmnoopt05.sqm
2008-01-20 22:57 . 2008-01-27 12:12 <DIR> d-------- C:\Documents and Settings\Naz.GHOURI-EB3A537C\Contacts
2008-01-20 22:46 . 2008-01-20 22:46 244 --ah----- C:\sqmnoopt04.sqm
2008-01-20 22:46 . 2008-01-20 22:46 244 --ah----- C:\sqmnoopt03.sqm
2008-01-20 22:46 . 2008-01-20 22:46 244 --ah----- C:\sqmnoopt02.sqm
2008-01-20 22:46 . 2008-01-20 22:46 232 --ah----- C:\sqmdata04.sqm
2008-01-20 22:46 . 2008-01-20 22:46 232 --ah----- C:\sqmdata03.sqm
2008-01-20 22:46 . 2008-01-20 22:46 232 --ah----- C:\sqmdata02.sqm
2008-01-20 21:14 . 2008-01-20 21:14 <DIR> d-------- C:\Documents and Settings\Naz.GHOURI-EB3A537C\Application Data\Share-to-Web Upload Folder
2008-01-19 22:57 . 2008-01-19 22:57 <DIR> d-------- C:\Program Files\SymNetDrv
2008-01-19 22:36 . 2008-01-19 22:36 268 --ah----- C:\sqmdata01.sqm
2008-01-19 22:36 . 2008-01-19 22:36 244 --ah----- C:\sqmnoopt01.sqm
2008-01-19 22:25 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-19 22:25 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-19 22:25 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-19 22:25 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-19 22:25 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-19 22:25 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-19 22:25 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-19 22:25 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-19 22:25 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-19 22:09 . 2008-02-13 23:55 <DIR> d-------- C:\Program Files\Norton Personal Firewall
2008-01-19 22:08 . 2008-01-19 22:40 <DIR> d-------- C:\Documents and Settings\Ghouri\Application Data\Symantec
2008-01-19 22:08 . 2008-01-19 22:08 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-01-19 22:06 . 2008-01-19 22:58 <DIR> d-------- C:\Program Files\Symantec
2008-01-19 22:06 . 2008-01-19 22:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-01-19 22:06 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-19 22:06 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-19 19:39 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-19 19:39 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-19 19:39 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-19 19:07 . 2008-01-19 19:07 <DIR> d-------- C:\Documents and Settings\Mum.GHOURI-EB3A537C\Application Data\Share-to-Web Upload Folder
2008-01-19 19:05 . 2008-01-19 19:05 268 --ah----- C:\sqmdata00.sqm
2008-01-19 19:05 . 2008-01-19 19:05 244 --ah----- C:\sqmnoopt00.sqm
2008-01-19 18:47 . 2008-01-19 18:47 <DIR> d-------- C:\Temp\cXzz9
2008-01-19 18:26 . 2008-01-19 18:26 <DIR> d-------- C:\Documents and Settings\Ghouri\Contacts
2008-01-19 18:15 . 2008-01-27 12:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-01-19 17:43 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-01-19 17:43 . 2008-01-19 17:43 264 --a------ C:\WINDOWS\_delis32.ini
2008-01-19 17:37 . 2008-01-27 13:06 81,920 -r------- C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2008-01-19 17:22 . 2008-01-27 13:07 0 --a------ C:\Debug.QC6
2008-01-19 17:21 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-19 17:21 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-19 17:17 . 2008-01-19 17:17 <DIR> d-------- C:\Documents and Settings\Ghouri\Application Data\Share-to-Web Upload Folder
2008-01-19 17:15 . 2004-10-08 01:16 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-19 17:06 . 2001-08-23 01:04 139,264 --a------ C:\WINDOWS\system32\EBAPI2.dll
2008-01-19 17:06 . 2001-12-12 11:46 131,072 --a------ C:\WINDOWS\system32\Epcmlib.dll
2008-01-19 17:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-19 17:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-19 17:03 . 2002-09-30 02:33 73,676 --a------ C:\WINDOWS\system32\EBPMON2.DLL
2008-01-19 17:03 . 2002-07-31 02:25 61,440 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2008-01-19 17:03 . 2000-06-07 01:01 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2008-01-19 17:03 . 2008-01-19 17:06 19,410 --a------ C:\WINDOWS\EPSTPLOG.BAK
2008-01-19 17:03 . 2001-09-04 02:04 182 --a------ C:\WINDOWS\system32\EBPPORT.DAT
2008-01-19 17:00 . 2008-01-20 22:42 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-19 15:40 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-19 15:40 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-19 15:40 . 2003-03-18 19:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-19 15:40 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-19 15:40 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-19 15:40 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-19 15:40 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 23:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-14 17:45 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-02-08 20:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 20:06 --------- d-----w C:\Program Files\XoftSpySE
2008-02-01 21:48 --------- d-----w C:\Program Files\Lavasoft
2008-01-27 18:47 --------- d-----w C:\Program Files\coolpro2
2008-01-27 13:06 --------- d-----w C:\Program Files\Logitech
2008-01-27 13:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-27 12:36 --------- d-----w C:\Program Files\Google
2008-01-20 21:18 454 ----a-w C:\Program Files\Shortcut to Adobe.lnk
2008-01-19 18:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-19 14:45 32,187,536 ----a-w C:\back_up.reg
2008-01-18 15:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 23:33 --------- d-----w C:\Program Files\Windows Defender
2008-01-10 23:32 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-10 23:32 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 20:21 --------- d-----w C:\Program Files\Windows Live
2008-01-09 20:20 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-09 19:44 --------- d-----w C:\Program Files\TomTom HOME
2008-01-09 15:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-08 22:20 --------- d-----w C:\Documents and Settings\Naz\Application Data\HouseCall 6.6
2008-01-07 19:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-06 20:27 --------- d-----w C:\Program Files\Winamp Remote
2008-01-06 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Tenebril
2008-01-06 16:59 --------- d-----w C:\Program Files\New Folder
2008-01-06 16:36 --------- d-----w C:\Documents and Settings\Naz\Application Data\Tenebril
2008-01-06 13:39 --------- d-----w C:\Program Files\CCleaner
2008-01-05 02:26 --------- d-----w C:\Documents and Settings\Ass\Application Data\Winff
2008-01-03 01:57 --------- d-----w C:\Program Files\Smallvideosoft
2008-01-03 01:42 --------- d-----w C:\Program Files\AviSynth 2.5
2008-01-03 00:53 --------- d-----w C:\Documents and Settings\Naz\Application Data\Winff
2008-01-03 00:50 --------- d-----w C:\Program Files\WinFF
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-10-01 13:39 505 ---ha-w C:\Documents and Settings\Iffath\hpothb07.dat
2007-09-03 16:21 65,208 ----a-w C:\Documents and Settings\Dr GHOURI\Application Data\GDIPFONTCACHEV1.DAT
2007-03-19 13:43 65,208 ----a-w C:\Documents and Settings\Ass\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:04 65,208 ----a-w C:\Documents and Settings\Mum\Application Data\GDIPFONTCACHEV1.DAT
2006-03-14 16:15 66,096 ----a-w C:\Documents and Settings\Naz\Application Data\GDIPFONTCACHEV1.DAT
2006-03-07 14:34 66,096 ----a-w C:\Documents and Settings\Iffath\Application Data\GDIPFONTCACHEV1.DAT
2002-01-14 17:30 21,823,560 ----a-w C:\Program Files\dotnetfx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BB3ECA7-CF8C-4FFB-A9C5-BD2AE9F67FC0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C4B4682-70F0-44AF-A7DA-7791E2F17235}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1131CF05-C597-435F-A19F-7BF2D49337C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E907225-F7D0-438B-88CB-83DC9519EEF6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49EB0FA6-5940-479F-8F2F-8470BA220D97}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6387868B-6EED-4C82-BEA4-F5A3D5792AC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75C213DC-B2C1-4F07-99C8-369D608C814A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90EABE2F-ADB0-4B23-9BEF-D0966FD68A09}]
C:\WINDOWS\system32\ssttq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEAA6A89-A410-4490-935C-89793499D879}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-19 15:19 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD9A5A30-B80B-4015-BC30-73B7012910B6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-19 15:19 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-06 16:07 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 07:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 10:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-05-10 22:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-06-01 09:37 380928]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 03:19 69632]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-06-10 14:21 102400]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32 58984]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-19 22:57 100056]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-10 22:03 8429568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-01-27 13:06:52 169472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvuvt]

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-05-31 14:29]
R3 Intels51;Intel® 536EP V.92 Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2002-05-10 14:31]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-05-31 14:29]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 21:06:41 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-15 19:56:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-17 21:08:16 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 21:08:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2008-02-17 21:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 21:14:34
ComboFix2.txt 2008-01-06 16:00:06
.
2008-02-14 00:16:20 --- E O F ---


And here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20:14, on 17/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {90EABE2F-ADB0-4B23-9BEF-D0966FD68A09} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: vtuvuvt - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10051 bytes



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 16 February 2008 - 05:05 PM

Hello,

Lots to do this time. :blink:

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (Norton and Avast!) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable the other one, and use it as an on demand only scan occasionally.

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {90EABE2F-ADB0-4B23-9BEF-D0966FD68A09} - C:\WINDOWS\system32\ssttq.dll (file missing)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O20 - Winlogon Notify: vtuvuvt - C:\WINDOWS\


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BB3ECA7-CF8C-4FFB-A9C5-BD2AE9F67FC0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C4B4682-70F0-44AF-A7DA-7791E2F17235}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1131CF05-C597-435F-A19F-7BF2D49337C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E907225-F7D0-438B-88CB-83DC9519EEF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49EB0FA6-5940-479F-8F2F-8470BA220D97}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6387868B-6EED-4C82-BEA4-F5A3D5792AC7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75C213DC-B2C1-4F07-99C8-369D608C814A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90EABE2F-ADB0-4B23-9BEF-D0966FD68A09}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEAA6A89-A410-4490-935C-89793499D879}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD9A5A30-B80B-4015-BC30-73B7012910B6}]
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvuvt]

File::
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\_delis32.ini


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
How is it running now, please? :thumbsup:

Thank you!
tea

Edited by teacup61, 16 February 2008 - 05:06 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 blad

blad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 February 2008 - 08:38 PM

Hi, I dont appear to have any more popups (tho it is still early days yet!). Thanks :thumbsup:. I have norton personal firewall and avast! antivirus installed on my pc. I used to have norton antivirus as well but i uninstalled it some time ago. Is it detrimental to my computer to have norton firewall and avast antivirus together?

Here is my combofix log:

ComboFix 08-02-17.2 - Ghouri 2008-02-18 0:57:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT 0:00]
Running from: C:\Documents and Settings\Ghouri\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ghouri\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\_delis32.ini
C:\WINDOWS\system32\ssttq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\_delis32.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-09 17:57 . 2008-02-09 19:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-09 02:22 . 2008-02-09 19:28 <DIR> d-------- C:\VundoFix Backups
2008-02-08 23:10 . 2008-02-08 23:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 22:30 . 2008-02-09 02:21 147 --a------ C:\WINDOWS\wininit.ini
2008-02-08 20:46 . 2008-02-08 20:35 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 20:46 . 2008-02-08 20:46 3,461 --a------ C:\WINDOWS\unins000.dat
2008-02-02 17:46 . 2008-02-08 21:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-01 21:47 . 2008-02-01 21:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 21:47 . 2008-02-01 21:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-27 18:55 . 2008-01-27 18:55 <DIR> d-------- C:\Documents and Settings\Ghouri\Application Data\Syntrillium
2008-01-27 18:44 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-01-27 18:44 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-01-27 18:44 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-01-27 18:44 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-01-27 18:44 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-01-27 18:44 . 2008-01-27 18:44 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-01-27 18:39 . 2008-01-27 18:39 <DIR> d-------- C:\Documents and Settings\Naz.GHOURI-EB3A537C\Application Data\Syntrillium
2008-01-27 18:32 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-27 18:32 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-27 16:11 . 2008-01-27 16:11 <DIR> d-------- C:\Program Files\XviD
2008-01-27 12:59 . 2008-01-27 12:59 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-01-27 12:48 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-01-24 21:56 . 2008-01-24 21:56 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2008-01-23 01:09 . 2008-01-23 01:09 <DIR> d-------- C:\Documents and Settings\Mum.GHOURI-EB3A537C\Contacts
2008-01-21 22:14 . 2008-01-21 22:14 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-21 21:35 . 2008-01-21 21:35 <DIR> d-------- C:\Documents and Settings\Mum.GHOURI-EB3A537C\Application Data\Syntrillium
2008-01-21 19:38 . 2008-01-21 19:38 244 --ah----- C:\sqmnoopt10.sqm
2008-01-21 19:38 . 2008-01-21 19:38 244 --ah----- C:\sqmnoopt09.sqm
2008-01-21 19:38 . 2008-01-21 19:38 244 --ah----- C:\sqmnoopt08.sqm
2008-01-21 19:38 . 2008-01-21 19:38 232 --ah----- C:\sqmdata10.sqm
2008-01-21 19:38 . 2008-01-21 19:38 232 --ah----- C:\sqmdata09.sqm
2008-01-21 19:38 . 2008-01-21 19:38 232 --ah----- C:\sqmdata08.sqm
2008-01-21 19:37 . 2008-01-21 19:37 244 --ah----- C:\sqmnoopt07.sqm
2008-01-21 19:37 . 2008-01-21 19:37 244 --ah----- C:\sqmnoopt06.sqm
2008-01-21 19:37 . 2008-01-21 19:37 232 --ah----- C:\sqmdata07.sqm
2008-01-21 19:37 . 2008-01-21 19:37 232 --ah----- C:\sqmdata06.sqm
2008-01-21 14:21 . 2008-01-29 16:23 288 --a------ C:\WINDOWS\hpqcopy.INI
2008-01-20 23:20 . 2008-01-20 23:20 268 --ah----- C:\sqmdata05.sqm
2008-01-20 23:20 . 2008-01-20 23:20 244 --ah----- C:\sqmnoopt05.sqm
2008-01-20 22:57 . 2008-01-27 12:12 <DIR> d-------- C:\Documents and Settings\Naz.GHOURI-EB3A537C\Contacts
2008-01-20 22:46 . 2008-01-20 22:46 244 --ah----- C:\sqmnoopt04.sqm
2008-01-20 22:46 . 2008-01-20 22:46 244 --ah----- C:\sqmnoopt03.sqm
2008-01-20 22:46 . 2008-01-20 22:46 244 --ah----- C:\sqmnoopt02.sqm
2008-01-20 22:46 . 2008-01-20 22:46 232 --ah----- C:\sqmdata04.sqm
2008-01-20 22:46 . 2008-01-20 22:46 232 --ah----- C:\sqmdata03.sqm
2008-01-20 22:46 . 2008-01-20 22:46 232 --ah----- C:\sqmdata02.sqm
2008-01-20 21:14 . 2008-01-20 21:14 <DIR> d-------- C:\Documents and Settings\Naz.GHOURI-EB3A537C\Application Data\Share-to-Web Upload Folder
2008-01-19 22:57 . 2008-01-19 22:57 <DIR> d-------- C:\Program Files\SymNetDrv
2008-01-19 22:36 . 2008-01-19 22:36 268 --ah----- C:\sqmdata01.sqm
2008-01-19 22:36 . 2008-01-19 22:36 244 --ah----- C:\sqmnoopt01.sqm
2008-01-19 22:25 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-19 22:25 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-19 22:25 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-19 22:25 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-19 22:25 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-19 22:25 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-19 22:25 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-19 22:25 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-19 22:25 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-19 22:09 . 2008-02-13 23:55 <DIR> d-------- C:\Program Files\Norton Personal Firewall
2008-01-19 22:08 . 2008-01-19 22:40 <DIR> d-------- C:\Documents and Settings\Ghouri\Application Data\Symantec
2008-01-19 22:08 . 2008-01-19 22:08 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-01-19 22:06 . 2008-01-19 22:58 <DIR> d-------- C:\Program Files\Symantec
2008-01-19 22:06 . 2008-01-19 22:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-01-19 22:06 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-19 22:06 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-19 19:39 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-19 19:39 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-19 19:39 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-19 19:07 . 2008-01-19 19:07 <DIR> d-------- C:\Documents and Settings\Mum.GHOURI-EB3A537C\Application Data\Share-to-Web Upload Folder
2008-01-19 19:05 . 2008-01-19 19:05 268 --ah----- C:\sqmdata00.sqm
2008-01-19 19:05 . 2008-01-19 19:05 244 --ah----- C:\sqmnoopt00.sqm
2008-01-19 18:47 . 2008-01-19 18:47 <DIR> d-------- C:\Temp\cXzz9
2008-01-19 18:26 . 2008-01-19 18:26 <DIR> d-------- C:\Documents and Settings\Ghouri\Contacts
2008-01-19 18:15 . 2008-01-27 12:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-01-19 17:43 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-01-19 17:37 . 2008-01-27 13:06 81,920 -r------- C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2008-01-19 17:22 . 2008-01-27 13:07 0 --a------ C:\Debug.QC6
2008-01-19 17:21 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-19 17:21 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-19 17:17 . 2008-01-19 17:17 <DIR> d-------- C:\Documents and Settings\Ghouri\Application Data\Share-to-Web Upload Folder
2008-01-19 17:15 . 2004-10-08 01:16 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-19 17:06 . 2001-08-23 01:04 139,264 --a------ C:\WINDOWS\system32\EBAPI2.dll
2008-01-19 17:06 . 2001-12-12 11:46 131,072 --a------ C:\WINDOWS\system32\Epcmlib.dll
2008-01-19 17:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-19 17:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-19 17:03 . 2002-09-30 02:33 73,676 --a------ C:\WINDOWS\system32\EBPMON2.DLL
2008-01-19 17:03 . 2002-07-31 02:25 61,440 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2008-01-19 17:03 . 2000-06-07 01:01 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2008-01-19 17:03 . 2008-01-19 17:06 19,410 --a------ C:\WINDOWS\EPSTPLOG.BAK
2008-01-19 17:03 . 2001-09-04 02:04 182 --a------ C:\WINDOWS\system32\EBPPORT.DAT
2008-01-19 17:00 . 2008-01-20 22:42 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-19 15:40 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-19 15:40 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-19 15:40 . 2003-03-18 19:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-19 15:40 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-19 15:40 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-19 15:40 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-19 15:40 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-19 15:40 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 23:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-14 17:45 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-02-08 20:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 20:06 --------- d-----w C:\Program Files\XoftSpySE
2008-02-01 21:48 --------- d-----w C:\Program Files\Lavasoft
2008-01-27 18:47 --------- d-----w C:\Program Files\coolpro2
2008-01-27 13:06 --------- d-----w C:\Program Files\Logitech
2008-01-27 13:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-27 12:36 --------- d-----w C:\Program Files\Google
2008-01-20 21:18 454 ----a-w C:\Program Files\Shortcut to Adobe.lnk
2008-01-19 18:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-19 14:45 32,187,536 ----a-w C:\back_up.reg
2008-01-18 15:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 23:33 --------- d-----w C:\Program Files\Windows Defender
2008-01-10 23:32 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-10 23:32 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 20:21 --------- d-----w C:\Program Files\Windows Live
2008-01-09 20:20 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-09 19:44 --------- d-----w C:\Program Files\TomTom HOME
2008-01-09 15:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-08 22:20 --------- d-----w C:\Documents and Settings\Naz\Application Data\HouseCall 6.6
2008-01-07 19:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-06 20:27 --------- d-----w C:\Program Files\Winamp Remote
2008-01-06 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Tenebril
2008-01-06 16:59 --------- d-----w C:\Program Files\New Folder
2008-01-06 16:36 --------- d-----w C:\Documents and Settings\Naz\Application Data\Tenebril
2008-01-06 13:39 --------- d-----w C:\Program Files\CCleaner
2008-01-05 02:26 --------- d-----w C:\Documents and Settings\Ass\Application Data\Winff
2008-01-03 01:57 --------- d-----w C:\Program Files\Smallvideosoft
2008-01-03 01:42 --------- d-----w C:\Program Files\AviSynth 2.5
2008-01-03 00:53 --------- d-----w C:\Documents and Settings\Naz\Application Data\Winff
2008-01-03 00:50 --------- d-----w C:\Program Files\WinFF
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-10-01 13:39 505 ---ha-w C:\Documents and Settings\Iffath\hpothb07.dat
2007-09-03 16:21 65,208 ----a-w C:\Documents and Settings\Dr GHOURI\Application Data\GDIPFONTCACHEV1.DAT
2007-03-19 13:43 65,208 ----a-w C:\Documents and Settings\Ass\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:04 65,208 ----a-w C:\Documents and Settings\Mum\Application Data\GDIPFONTCACHEV1.DAT
2006-03-14 16:15 66,096 ----a-w C:\Documents and Settings\Naz\Application Data\GDIPFONTCACHEV1.DAT
2006-03-07 14:34 66,096 ----a-w C:\Documents and Settings\Iffath\Application Data\GDIPFONTCACHEV1.DAT
2002-01-14 17:30 21,823,560 ----a-w C:\Program Files\dotnetfx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-19 15:19 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-06 16:07 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 07:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 10:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-05-10 22:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-06-01 09:37 380928]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 03:19 69632]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-06-10 14:21 102400]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32 58984]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-19 22:57 100056]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-10 22:03 8429568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-01-27 13:06:52 169472]

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-05-31 14:29]
R3 Intels51;Intel® 536EP V.92 Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2002-05-10 14:31]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-05-31 14:29]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 00:07:10 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-17 23:56:45 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-18 00:00:18 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 01:02:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 1:02:53
ComboFix-quarantined-files.txt 2008-02-18 01:02:31
ComboFix2.txt 2008-02-17 21:14:39
ComboFix3.txt 2008-01-06 16:00:06
.
2008-02-14 00:16:20 --- E O F ---


and here is my new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:37:34, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9670 bytes



#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 17 February 2008 - 12:48 PM

Hello, and Happy Sunday to you! :thumbsup:

Now that some time has passed....still all right?

As long as you only run one Firewall and one AntiVirus you'll be all right. The only problem might be that Norton is SO heavy on resources.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 blad

blad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 February 2008 - 05:09 PM

Thanks for all your help, i havent had a single popup now! should i download spywareblaster and spywareguard or is just one of them enough?

take care

blad :thumbsup:

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 18 February 2008 - 11:36 PM

You're most welcome. :thumbsup: One should be enough.....it's just as bad to overdo as it is to not do enough. :blink:

Best,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 25 February 2008 - 07:26 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users