Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Alert! In Tray Next To Time (referal From Am I Infected? What Do I Do? Forum)


  • This topic is locked This topic is locked
7 replies to this topic

#1 Dit

Dit

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 20 July 2008 - 07:10 PM

Greetings, I began working this problem in the Am I infected? What do I do? forum on 18 July. Here was my original problem:

- I can only logon as Administrator (or my own profile) in Safe Mode.

- No internet access (Right now I'm using another computer, downloading any recommendations to a USB thumbdrive and copying these over to the infected machine.)

- Safe Mode is selective about allowing me to Install new programs, therefore only executables can be moved and used on the infected machine.

- Running Spybot, SDfix, and Smitfraudfix powers down the computer after these programs run for a few minutes (Note: this is not an overheating problem but a part of the virus)

Since my original post, I have followed the recommendations as follows:

Ran Malwarebytes' Anti-Malware six times.
Ran SmitFraudFix v2.329 once.
Downloaded and installed XP_CodecRepair.inf and followed instructions

On my own I have run VundoFix. It didn't find anything so I manually removed C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) which kept showing up repeatedly in the MBAM logs.

Ran MBAM one more time on my own and had only one error noted which did not require a reboot to correct.

Now when booting in "normal mode" the following happens:

1) The windows user logon screen appears giving me my normal logon profile
2) I logon
3) Task bar comes up without the "Virus Alert!" next to the time as before.
4) The computer locks with a normal movable cursor in the middle of a black screen and the hour glass cursor appearing over the task bar but no control at all to include no CTL-ALT-DEL or any keyboard functionality.
5) Unlike before, when I log on using my profile in Safe Mode, I have access to all drives, Control Panel, the Run command, etc.
6) The clock in the task bar stops at logon time.

Since I can only use Safe Mode, DSS.exe warns not to run unless directed by an analyst...so I didn't execute the program. I already had Hijack this installed on the infected machine so I ran it, copied the resulting txt file to a thumb drive and here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:01 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\Documents and Settings\Dit\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - {d4b99e76-8b54-4b00-ba62-68fc54a990f1} - (no file)
O2 - BHO: QXK Olive - {14CF3567-2DC2-4BDC-991A-CBDDDC1D4374} - (no file)
O2 - BHO: (no name) - {49459133-0F84-4712-AE6D-7E6E3B5DB5BC} - C:\WINDOWS2\system32\urqQhGXo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9DE6E729-3CBD-42A2-AE52-C99609B230D4} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {d4b99e76-8b54-4b00-ba62-68fc54a990f1} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search\2\DesktopSearchBand203000018.dll
O4 - HKLM\..\Run: [wl] C:\WINDOWS2\system32\wladmin.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: byXNhfgF - byXNhfgF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS2\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS2\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 7620 bytes

Edited by Dit, 21 July 2008 - 02:12 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:17 AM

Posted 21 July 2008 - 06:22 AM

Hello Dit and welcome to BleepingComputer,

If necessary, you can perform all steps in safe mode.

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 21 July 2008 - 03:30 PM

Hello Thunder and my sincerest thanks for your help. I've followed your instructions and the two output logs follow. Once again, thank you.\\ Dit

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

6:15:41 AM 7/21/2008
mbam-log-7-21-2008 (06-15-41).txt

Scan type: Quick Scan
Objects scanned: 49369
Time elapsed: 13 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49459133-0f84-4712-ae6d-7e6e3b5db5bc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{49459133-0f84-4712-ae6d-7e6e3b5db5bc} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.


----------------------------------------------------------------------------


ComboFix 08-07-20.A0 - Dit 2008-07-21 8:34:52.2 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Dit\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS2\system32\mcrh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 13:46 . 2008-07-20 13:46 <DIR> d-------- C:\Deckard
2008-07-20 11:02 . 2008-07-20 11:02 <DIR> d-------- C:\VundoFix Backups
2008-07-19 09:34 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS2\system32\drivers\mbamswissarmy.sys
2008-07-18 14:00 . 2008-07-18 14:00 <DIR> d-------- C:\Documents and Settings\Dit\Application Data\Malwarebytes
2008-07-18 10:38 . 2008-07-19 09:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 10:38 . 2008-07-18 10:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Malwarebytes
2008-07-18 10:38 . 2008-07-18 10:38 <DIR> d-------- C:\Documents and Settings\Administrator.DITWORK\Application Data\Malwarebytes
2008-07-18 10:38 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS2\system32\drivers\mbam.sys
2008-07-18 08:41 . 2008-07-18 08:41 <DIR> d-------- C:\Documents and Settings\Administrator.DITWORK\Application Data\Thunderbird
2008-07-18 06:18 . 2008-07-18 06:47 <DIR> d-------- C:\SmitfraudFix
2008-07-18 06:17 . 2008-07-17 07:47 1,478,367 --a------ C:\SmitfraudFix.exe
2008-07-18 06:15 . 2008-07-18 06:15 <DIR> d-------- C:\_OTMoveIt
2008-07-17 12:14 . 2008-07-17 12:15 <DIR> d-------- C:\WINDOWS2\ERUNT
2008-07-17 12:13 . 2008-07-18 07:44 <DIR> d-------- C:\SDFix
2008-07-17 11:31 . 2008-07-17 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 07:50 . 2008-07-18 06:39 1,304 --a------ C:\WINDOWS2\system32\tmp.reg
2008-07-16 13:35 . 2008-07-16 13:35 <DIR> d-------- C:\Program Files\ESET
2008-07-16 13:35 . 2008-07-16 13:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\ESET
2008-07-15 14:39 . 2008-07-15 15:11 <DIR> d-------- C:\Documents and Settings\Administrator.DITWORK\Application Data\Azureus
2008-07-15 12:49 . 2008-07-15 12:50 <DIR> d-------- C:\Documents and Settings\Administrator.DITWORK
2008-07-15 11:03 . 2001-08-23 02:00 4,224 --a------ C:\WINDOWS2\system32\beep.sys
2008-07-15 07:22 . 2008-07-15 07:31 <DIR> d-------- C:\Documents and Settings\Dit\Application Data\Scribus
2008-07-10 13:25 . 2008-07-15 07:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Google Updater
2008-07-10 10:46 . 2008-07-10 10:46 <DIR> d-------- C:\Program Files\JScan
2008-07-10 10:39 . 2008-07-10 10:40 <DIR> d-------- C:\Program Files\SimpleOCR
2008-07-10 10:39 . 2008-07-10 10:40 309 --a------ C:\WINDOWS2\SoftWriting.ini
2008-07-10 10:30 . 2008-07-10 10:33 <DIR> d-------- C:\Program Files\Amazing Graphic Editor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 06:50 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS2\Application Data\TEMP
2008-07-18 23:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-16 22:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\HDThermal
2008-07-16 16:41 --------- d-----w C:\Documents and Settings\Dit\Application Data\Azureus
2008-07-15 20:10 --------- d-----w C:\Program Files\dpmo
2008-07-15 17:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-14 17:03 --------- d-----w C:\Program Files\mtd2002
2008-07-11 16:21 --------- d-----w C:\Program Files\Azureus
2008-07-10 23:30 --------- d-----w C:\Program Files\Google
2008-07-10 20:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft Help
2008-06-03 18:58 --------- d-----w C:\Program Files\Quicken
2008-05-13 02:16 737,280 ----a-w C:\WINDOWS2\iun6002.exe
2007-10-19 21:58 355 ----a-w C:\Program Files\_DEISREG.ISR
2007-08-21 23:53 23,152 ----a-w C:\Documents and Settings\Dit\Application Data\GDIPFONTCACHEV1.DAT
2006-02-23 21:34 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-02-08 06:56 4,980,736 ---ha-w C:\Documents and Settings\Dit\NTUSERold.DAT
1999-04-08 20:18 49,152 -c--a-w C:\Program Files\_ISREG32.DLL
2005-10-02 18:44 94,208 ----a-w C:\Program Files\mozilla firefox\plugins\gkgfx.dll
2005-10-02 18:44 344,064 ----a-w C:\Program Files\mozilla firefox\plugins\js3250.dll
2005-10-02 18:44 196,608 ----a-w C:\Program Files\mozilla firefox\plugins\mozctl.dll
2005-10-02 18:44 24,576 ----a-w C:\Program Files\mozilla firefox\plugins\mozctlx.dll
2005-10-02 18:45 53,248 ----a-w C:\Program Files\mozilla firefox\plugins\mozz.dll
2003-12-24 00:54 487,424 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp70.dll
2003-12-24 00:54 344,064 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr70.dll
2005-10-02 18:44 155,648 ----a-w C:\Program Files\mozilla firefox\plugins\nspr4.dll
2005-10-02 18:45 348,160 ----a-w C:\Program Files\mozilla firefox\plugins\nss3.dll
2005-10-02 18:45 221,184 ----a-w C:\Program Files\mozilla firefox\plugins\nssckbi.dll
2005-10-02 18:44 28,672 ----a-w C:\Program Files\mozilla firefox\plugins\plc4.dll
2005-10-02 18:44 24,576 ----a-w C:\Program Files\mozilla firefox\plugins\plds4.dll
2005-10-02 18:45 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\smime3.dll
2005-10-02 18:45 364,544 ----a-w C:\Program Files\mozilla firefox\plugins\softokn3.dll
2005-10-02 18:45 110,592 ----a-w C:\Program Files\mozilla firefox\plugins\ssl3.dll
2005-10-02 18:44 389,120 ----a-w C:\Program Files\mozilla firefox\plugins\xpcom.dll
2005-10-02 18:44 81,920 ----a-w C:\Program Files\mozilla firefox\plugins\xpcom_compat.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS2\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wl"="C:\WINDOWS2\system32\wladmin.exe" [2002-04-15 16:02 212992]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-03-17 06:34 124656]
"USB Storage Toolbox"="C:\Program Files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 20:44 65536]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-23 19:30 483328]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-07-18 19:15 1191544]

C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS2\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-09 10:21:40 25214]
PGPtray.exe.lnk - C:\WINDOWS2\Installer\{524273E4-09FA-4DC4-8ACF-9C4F74E00FD3}\Icon6560581611.exe [2006-02-23 07:20:04 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=OCMAPIHK.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS2\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
backup=C:\WINDOWS2\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Firefox Preloader.lnk]
backup=C:\WINDOWS2\pss\Firefox Preloader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS2\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS2\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dit^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
backup=C:\WINDOWS2\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dit^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS2\pss\palmOne Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Copernic Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f0e42aa6

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2005-09-23 19:30 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-03-07 13:02 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Copernic Desktop Search 2]
--a------ 2008-03-03 10:45 1583624 C:\Program Files\Copernic Desktop Search\2\DesktopSearchService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrgSync.exe]
--a------ 2005-10-07 17:01 3032576 C:\Program Files\StorageSync\StrgSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-03-13 07:54 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-03-17 06:34 124656 C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"SavRoam"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ISSVC"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mtd2002\\mtdserver.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R0 PGPwded;PGPwded Storage Filter Service;C:\WINDOWS2\system32\drivers\PGPwded.sys [2006-02-03 15:57]
R1 epfwtdir;epfwtdir;C:\WINDOWS2\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
S1 vcdrom;Virtual CD-ROM Device Driver;C:\Documents and Settings\Dit\My Documents\Utilities\VCdRom.sys [2001-12-19 11:45]
S2 PGPdisk;PGPdisk;C:\WINDOWS2\system32\drivers\PGPdisk.sys [2006-02-03 16:01]
S2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS2\system32\drivers\PGPsdk.sys [2006-02-03 15:57]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\PROGRA~1\Linksys\WIRELE~1\CBTNDIS5.SYS []
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;C:\WINDOWS2\system32\DRIVERS\tnet1130x.sys [2004-03-10 21:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15dbc6a1-9147-11dc-b5b6-00080297add9}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS2\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e607cb0-f585-11da-aa9a-00080297a4ac}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-10 19:58:00 C:\WINDOWS2\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{14CF3567-2DC2-4BDC-991A-CBDDDC1D4374} - (no file)
BHO-{9DE6E729-3CBD-42A2-AE52-C99609B230D4} - (no file)
ShellExecuteHooks-{9DE6E729-3CBD-42A2-AE52-C99609B230D4} - (no file)
Notify-byXNhfgF - byXNhfgF.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Local Page = C:\windows\system32\blank.htm
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 08:40:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 8:55:14
ComboFix-quarantined-files.txt 2008-07-21 18:54:43

Pre-Run: 11,932,020,736 bytes free
Post-Run: 11,921,670,144 bytes free

212

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:17 AM

Posted 21 July 2008 - 05:22 PM

Hello Dit,

Your logs look fine now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update7.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version.
Are you still running both Nod32 AND Symantec/Norton ?
If so, please go to Start > Control Panel > Software > Add/remove programs and uninstall one of them.

Can I see a fresh HijackThis log for final checkup please ?

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 21 July 2008 - 06:05 PM

Thanks Thunder but unfortunately, when I boot in Normal Mode, I continue to have no keyboard or mouse control whatsoever. Also, the system time displayed in the taskbar does not advance (waited for over five minutes and the clock was frozen at login time.) Currently sending this to you in Safe Mode. Hijackthis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:34 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dit\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - {d4b99e76-8b54-4b00-ba62-68fc54a990f1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {d4b99e76-8b54-4b00-ba62-68fc54a990f1} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search\2\DesktopSearchBand203000018.dll
O4 - HKLM\..\Run: [wl] C:\WINDOWS2\system32\wladmin.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS2\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS2\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 7711 bytes

#6 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 21 July 2008 - 06:42 PM

Thunder - Please disregard my last post regarding unresponsive Normal Mode. I ran chkdsk in Safe Mode, it deleted a few things, and when I rebooted in Normal Mode, everything works, albeit a bit slow. But I can certainly live with slowness since I haven't been able to get into Normal Mode for the past five days. Once again, thank you and Bleeping Computer. You folks provide an invaluable service for which I'm certain you are underpaid. \\ Dit

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:17 AM

Posted 22 July 2008 - 03:17 AM

Hello Dit,

Are you still running both Nod32 AND Symantec/Norton ?
If so, please go to Start > Control Panel > Software > Add/remove programs and uninstall one of them.


Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - {d4b99e76-8b54-4b00-ba62-68fc54a990f1} - (no file)
O3 - Toolbar: (no name) - {d4b99e76-8b54-4b00-ba62-68fc54a990f1} - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please do not forget to update your JavaVM as well.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:17 AM

Posted 19 August 2008 - 04:52 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users