Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Pc -zombie Mail Relay


  • This topic is locked This topic is locked
14 replies to this topic

#1 lisa777

lisa777

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 23 July 2008 - 11:02 PM

HI,

Today, I received an email from my ISP stating:

Road Runner has received complaints (with data) showing that a computer connected to
the cable modem assigned to your Road Runner account has been used to send mass
quantities of SPAM or UCE (unsolicited commercial email).

It appears that your PC may be infected with malicious
software and is being hijacked and used as a "zombie" mail relay (or as part of a "botnet").
A botnet is a network of zombie computers that are infected with code that allows an unauthorized user
to control them via the Internet. These computers can be used to spread spam, launch denial-of-service
attacks against web sites, and conduct fraudulent activities.



I believe I could be infected possibleby an IM file that one of my kids opened...When they're using IM, a message gets automatically sent stating "this looks like you lol"...I'm not sure if this is the actual problem...just a guess.

I'm attempting to clean the virus rather than reinstall XP so I've started with Hijack This as recommended by a coworker. After this I was told to run a bunch of spy ware scans like: Ad Aware and Spybot.

I was directed to this site by performing a Hijack This scan. I don't know what I'm looking for in the log file (what I should fix)so if someone could take a look for me, I'd appreciate it.

Below are my DDS logs as requested. I'm trying to also do the Kaspersky scan but I'm having a bit of trouble as it keeps aborting.

Thanks!

Main.text reults:
Deckard's System Scanner v20071014.68
Run by Parents on 2008-07-23 22:40:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
96: 2008-07-24 03:40:17 UTC - RP208 - Deckard's System Scanner Restore Point
95: 2008-07-23 11:43:20 UTC - RP207 - System Checkpoint
94: 2008-07-22 07:44:32 UTC - RP206 - System Checkpoint
93: 2008-07-21 00:38:59 UTC - RP205 - System Checkpoint
92: 2008-07-19 23:03:10 UTC - RP204 - System Checkpoint


-- First Restore Point --
1: 2008-04-25 00:37:48 UTC - RP113 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Parents.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:30 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
C:Program FilesCommon FilesSymantec SharedccProxy.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32cisvc.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32svchost.exe
C:Program FilesSmith MicroStuffItArcNameService.exe
C:Program FilesViewpointCommonViewpointService.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32lxcjcoms.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSsystem32cidaemon.exe
C:WINDOWSsystem32cidaemon.exe
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:WINDOWSExplorer.EXE
C:Program FilesAdobeAcrobat 7.0DistillrAcrotray.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:Program FilesNapsternapster.exe
C:Program FilesLexmark 8300 Serieslxcjmon.exe
C:Program FilesLexmark 8300 Seriesezprint.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32cumaquop.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLLoginProxy.exe
C:Documents and SettingsParentsMy DocumentsSoundTaxidss.exe
C:WINDOWSsystem32wbemwmiprvse.exe
C:PROGRA~1TRENDM~1HIJACK~1Parents.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.cnn.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser1.7NppBho.dll
O2 - BHO: IMHelper Class - {36E359F2-0C67-4eac-880A-E10D8CBDDC54} - c:windowssystem32wdrddr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser1.7UIBHO.dll
O4 - HKLM..Run: [PrinTray] C:WINDOWSSystem32spoolDRIVERSW32X863printray.exe
O4 - HKLM..Run: [Acrobat Assistant 7.0] "C:Program FilesAdobeAcrobat 7.0DistillrAcrotray.exe"
O4 - HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesCoresmax4pnp.exe
O4 - HKLM..Run: [NapsterShell] C:Program FilesNapsternapster.exe /systray
O4 - HKLM..Run: [lxcjmon.exe] "C:Program FilesLexmark 8300 Serieslxcjmon.exe"
O4 - HKLM..Run: [EzPrint] "C:Program FilesLexmark 8300 Seriesezprint.exe"
O4 - HKLM..Run: [LXCJCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.6.0_03binjusched.exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [Symantec PIF AlertEng] "C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe" /a /m "C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}AlertEng.dll"
O4 - HKLM..Run: [Media Codec Update Service] C:Program FilesEssentials Codec Packupdate.exe -silent
O4 - HKLM..Run: [AppleSyncNotifier] C:Program FilesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [pypu] C:WINDOWSsystem32cumaquop.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:Program FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.doralusa.com/dana-cached/setup/...perSetupSP1.cab
O21 - SSODL: SysTrayGUID - {342D5ACA-6747-4740-BE55-12D6966E6534} - c:windowssystem32emlded.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedVAScannercomHost.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe
O23 - Service: lxcj_device - - C:WINDOWSsystem32lxcjcoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:Program FilesCommon FilesMacromedia SharedServiceMacromedia Licensing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:Program FilesSmith MicroStuffItArcNameService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:Program FilesCommon FilesSymantec SharedSupport Controlsssrc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:Program FilesViewpointCommonViewpointService.exe
O23 - Service: bcveServ (ysuyacufefoau532) - Unknown owner - C:WINDOWSsystem32nocaquun.exe

--
End of file - 12247 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:Program FilesMacromediaDreamweaver 8dreamweaver.exe",2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:windowssystem32driversomci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 SndTDriverV32 - c:windowssystem32driverssndtdriverv32.sys <Not Verified; Windows ® 2000/XP; Windows ® 2000/XP Driver>

S0 cercsr6 - c:windowssystem32driverscercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:program filesbonjourmdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:program filesviewpointcommonviewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 ysuyacufefoau532 (bcveServ) - c:windowssystem32nocaquun.exe
S3 Dmi9mini -


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-18 10:40:01 284 --a------ C:WINDOWSTasksAppleSoftwareUpdate.job


-- Files created between 2008-06-23 and 2008-07-23 -----------------------------

2008-07-23 21:58:28 0 d-a------ C:Documents and SettingsAll Users.WINDOWSApplication DataTEMP
2008-07-23 21:58:18 0 d-------- C:Program FilesSpyware Doctor
2008-07-23 21:58:18 0 d-------- C:Documents and SettingsParentsApplication DataPC Tools
2008-07-23 21:25:38 0 d-------- C:Program FilesTrend Micro
2008-07-18 15:52:39 0 d-------- C:Documents and SettingsChildrenApplication DataAdobeUM
2008-07-17 23:19:40 144384 --a------ C:WINDOWSsystem32nocaquun.exe
2008-07-17 23:17:36 144384 --a------ C:WINDOWSsystem32cumaquop.exe
2008-07-16 19:09:27 0 d-------- C:Program FilesThree Rings Design
2008-07-13 15:29:48 32 -ra------ C:Documents and SettingsAll Usershash.dat
2008-07-13 15:24:45 0 d-------- C:Documents and SettingsChildrenApplication Datayoclient
2008-07-08 16:53:59 0 d-------- C:Documents and SettingsChildrenApplication DataMozilla


-- Find3M Report ---------------------------------------------------------------

2008-07-23 22:41:34 0 d-------- C:Program FilesCommon FilesSymantec Shared
2008-07-22 18:49:30 0 d-------- C:Program FilesNorton 360
2008-07-21 11:53:42 0 d-------- C:Program FilesLx_cats
2008-07-17 00:52:47 664 --a------ C:WINDOWSsystem32d3d9caps.dat
2008-07-16 23:05:44 0 d-------- C:Program FilesiTunes
2008-07-16 23:05:27 0 d-------- C:Program FilesiPod
2008-07-16 23:04:04 0 d-------- C:Program FilesQuickTime
2008-07-16 22:56:55 0 d-------- C:Program FilesSafari
2008-06-13 00:37:27 0 d-------- C:Documents and SettingsParentsApplication DataViewpoint
2008-06-11 10:17:41 0 d-------- C:Program FilesNapster
2008-06-10 03:03:13 0 d-------- C:Program FilesMicrosoft Works
2008-06-06 21:37:07 0 d-------- C:Program FilesJava
2008-06-04 18:59:47 0 d-------- C:Documents and SettingsParentsApplication DataMacromedia
2008-06-04 18:59:47 0 d-------- C:Documents and SettingsParentsApplication DataAdobe
2008-06-02 20:37:48 0 d-------- C:Documents and SettingsParentsApplication DataHelios
2008-06-02 20:37:34 0 d-------- C:Program FilesTextPad 5
2008-05-30 18:18:30 0 d-------- C:Program FilesSymantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE~Browser Helper Objects{36E359F2-0C67-4eac-880A-E10D8CBDDC54}]
04/16/2007 10:52 AM 81920 --a------ c:windowssystem32wdrddr.dll

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"PrinTray"="C:WINDOWSSystem32spoolDRIVERSW32X863printray.exe" []
"Acrobat Assistant 7.0"="C:Program FilesAdobeAcrobat 7.0DistillrAcrotray.exe" [04/23/2008 02:08 AM]
"@"="" []
"SoundMAXPnP"="C:Program FilesAnalog DevicesCoresmax4pnp.exe" [05/01/2006 11:07 AM]
"NapsterShell"="C:Program FilesNapsternapster.exe" [05/09/2008 02:37 PM]
"lxcjmon.exe"="C:Program FilesLexmark 8300 Serieslxcjmon.exe" [09/30/2005 11:49 AM]
"EzPrint"="C:Program FilesLexmark 8300 Seriesezprint.exe" [04/19/2006 10:57 AM]
"LXCJCATS"="C:WINDOWSSystem32spoolDRIVERSW32X863LXCJtime.dll" [02/24/2006 06:07 PM]
"SunJavaUpdateSched"="C:Program FilesJavajre1.6.0_03binjusched.exe" [09/25/2007 02:11 AM]
"ccApp"="C:Program FilesCommon FilesSymantec SharedccApp.exe" [07/17/2007 08:54 PM]
"Symantec PIF AlertEng"="C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe" [01/29/2008 06:38 PM]
"Media Codec Update Service"="C:Program FilesEssentials Codec Packupdate.exe" [04/08/2007 11:44 AM]
"AppleSyncNotifier"="C:Program FilesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:Program FilesQuickTimeqttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:Program FilesiTunesiTunesHelper.exe" [07/10/2008 10:51 AM]
"pypu"="C:WINDOWSsystem32cumaquop.exe" [07/17/2008 11:17 PM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [08/04/2004 05:00 AM]
"Aim6"="" []

C:Documents and SettingsAll Users.WINDOWSStart MenuProgramsStartup
Adobe Acrobat Speed Launcher.lnk - C:WINDOWSInstaller{AC76BA86-1033-0000-7760-000000000002}SC_Acrobat.exe [2/15/2008 4:59:42 PM]
Adobe Gamma Loader.lnk - C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [7/2/2007 4:58:10 PM]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"SysTrayGUID"= {342D5ACA-6747-4740-BE55-12D6966E6534} - c:windowssystem32emlded.dll [04/16/2007 10:52 AM 339968]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsdauxservice"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsdcoreservice"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregATICCC]
"C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccApp]
"C:Program FilesCommon FilesSymantec SharedccApp.exe"

*Newly Created Service* - COMHOST
*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE



-- End of Deckard's System Scanner: finished at 2008-07-23 22:42:17 ------------

Extra.text results:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6400 @ 2.13GHz
CPU 1: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 2045.54 MiB / 1025.63 MiB
Pagefile Memory (total/avail): 3938.36 MiB / 3151.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.62 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.77 GiB total, 139.59 GiB free.
D: is CDROM (No Media)
F: is Removable (No Media)

.PHYSICALDRIVE0 - WDC WD2500JS-75NCB3 - 232.83 GiB - 2 partitions
PARTITION0 - Unknown - 54.88 MiB
PARTITION1 (bootable) - Installable File System - 232.77 GiB - C:

.PHYSICALDRIVE1 - Disk drive



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%Network Diagnosticxpnetdiag.exe"="%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:Program FilesWindows LiveMessengermsnmsgr.exe"="C:Program FilesWindows LiveMessengermsnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:Program FilesWindows LiveMessengerlivecall.exe"="C:Program FilesWindows LiveMessengerlivecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%Network Diagnosticxpnetdiag.exe"="%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:Program FilesMessengermsmsgs.exe"="C:Program FilesMessengermsmsgs.exe:*:Enabled:Windows Messenger"
"C:Program FilesBonjourmDNSResponder.exe"="C:Program FilesBonjourmDNSResponder.exe:*:Enabled:Bonjour"
"C:Program FilesWindows LiveMessengermsnmsgr.exe"="C:Program FilesWindows LiveMessengermsnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:Program FilesWindows LiveMessengerlivecall.exe"="C:Program FilesWindows LiveMessengerlivecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:Program FilesCommon FilesAOLLoaderaolload.exe"="C:Program FilesCommon FilesAOLLoaderaolload.exe:*:Enabled:AOL Loader"
"C:Program FilesAIM6aim6.exe"="C:Program FilesAIM6aim6.exe:*:Enabled:AIM"
"C:Program FilesiTunesiTunes.exe"="C:Program FilesiTunesiTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:Documents and SettingsAll Users.WINDOWS
APPDATA=C:Documents and SettingsParentsApplication Data
CLASSPATH=.;C:Program FilesJavajre1.6.0_03libextQTJava.zip
CommonProgramFiles=C:Program FilesCommon Files
COMPUTERNAME=DONOIAN-9B5669A
ComSpec=C:WINDOWSsystem32cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=Documents and SettingsParents
LOGONSERVER=DONOIAN-9B5669A
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:PROGRA~1JavaJRE16~1.0_0bin;C:Program FilesInternet Explorer;;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;C:Program FilesATI TechnologiesATI.ACE;C:Program FilesCommon FilesRoxio Shared9.0DLLShared;C:Program FilesQuickTimeQTSystem;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:Program Files
PROMPT=$P$G
QTJAVA=C:Program FilesJavajre1.6.0_03libextQTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:WINDOWS
TEMP=C:DOCUME~1ParentsLOCALS~1Temp
TMP=C:DOCUME~1ParentsLOCALS~1Temp
USERDOMAIN=DONOIAN-9B5669A
USERNAME=Parents
USERPROFILE=C:Documents and SettingsParents
windir=C:WINDOWS


-- User Profiles ---------------------------------------------------------------

Parents (admin)
Children (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:WINDOWSINFPCHealth.inf
Adobe Acrobat 7.1.0 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:WINDOWSsystem32MacromedFlashuninstall_activeX.exe
Adobe Photoshop 7.0 --> C:WINDOWSISUNINST.EXE -f"C:Program FilesAdobePhotoshop 7.0Uninst.isu" -c"C:Program FilesAdobePhotoshop 7.0Uninst.dll"
Adobe Shockwave Player 11 --> C:WINDOWSsystem32adobeSHOCKW~1UNWISE.EXE C:WINDOWSsystem32AdobeSHOCKW~1Install.log
AIM 6 --> C:Program FilesAIM6uninst.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Software Uninstall Utility --> C:Program FilesATI TechnologiesUninstallAllAtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{2CA41BA1-9842-4819-8ABB-76FDC14AB9EA}
ATI Display Driver --> rundll32 C:WINDOWSsystem32atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Bonus --> MsiExec.exe /I{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}
Broadcom ASF Management Applications --> MsiExec.exe /I{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{FC57FC53-104C-415C-98D7-B05E659461A9}
Broadcom Management Programs --> MsiExec.exe /X{177D1318-3E4B-4A7C-A300-AC4E21BE090B}
CC_ccProxyExt --> MsiExec.exe /I{4AAD206E-0557-440F-8A98-94921A64BF4B}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
ccCommon --> MsiExec.exe /I{D8F6834B-D5E7-4451-8681-B051ABD8561D}
ccPxyCore --> MsiExec.exe /I{47A86BDE-6871-4A8A-BB49-21FAF754E00E}
CIB --> MsiExec.exe /I{E8176C35-0C2D-4142-9ED4-81861ECAB403}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Cucusoft DVD to iPod + iPod Video Converter Suite 5.23.5.7 --> "C:Program FilesCucusoftipod-converterunins000.exe"
Cucusoft Ultimate DVD + Video Converter Suite 7.13.7.7 --> "C:Program FilesCucusoftUltimate-Converterunins000.exe"
Dell ResourceCD --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{D78653C3-A8FF-415F-92E6-D774E634FF2D}setup.exe"
Express Burn --> C:Program FilesNCH Swift SoundExpressBurnuninst.exe
Express Rip --> C:Program FilesNCH Swift SoundExpressRipuninst.exe
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
High Definition Audio Driver Package - KB835221 --> C:WINDOWS$NtUninstallKB835221WXP$spuninstspuninst.exe
HijackThis 2.0.2 --> "C:Program FilesTrend MicroHijackThisHijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:WINDOWS$NtUninstallKB929399$spuninstspuninst.exe"
InterActual Player --> C:Program FilesInterActualInterActual Playerinuninst.exe
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java 2 Runtime Environment, SE v1.4.2_02 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142020}
Java 2 SDK, SE v1.4.2_02 --> MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Juniper Networks Host Checker --> "C:Documents and SettingsParentsApplication DataJuniper NetworksHost Checkeruninstall.exe"
Juniper Networks Secure Application Manager --> C:Program FilesJuniper NetworksSecure Application ManagerUninstallSAM.exe
League Organizer Soccer Edition Version 8.1 --> MsiExec.exe /X{6929A104-8100-0000-ACDC-000000000118}
Lexmark 8300 Series --> C:WINDOWSSystem32spoolDRIVERSW32X863lxcjUNST.EXE -NOLICENSE
LiveReg (Symantec Corporation) --> C:Program FilesCommon FilesSymantec SharedLiveRegVcSetup.exe /REMOVE
LiveUpdate 3.2 (Symantec Corporation) --> "C:Program FilesSymantecLiveUpdateLSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Contribute 3.11 --> MsiExec.exe /I{4B9535BF-CC90-4158-AF32-CAF57A8820CA}
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Dreamweaver MX 2004 --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Fireworks MX 2004 --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{E583ED6F-BD99-4066-A420-C815BF692B69}Setup.exe" -l0x9 UNINSTALL
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash MX 2004 --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{2F353D44-73BB-4971-B31D-F7642E9E9531}Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Macromedia FreeHand MXa --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{939740B5-0064-4779-854A-8C1086181C05}Setup.exe" -l0x9 UNINSTALL
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:WINDOWS$NtUninstallMSCompPackV1$spuninstspuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Standard 2003 --> MsiExec.exe /I{90530409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:WINDOWS$NtUninstallWudf01000$spuninstspuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:Program FilesMozilla Firefoxuninstallhelper.exe
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Napster --> C:Program FilesInstallShield Installation Information{BBBCAE4B-B416-4182-A6F2-438180894A81}setup.exe -runfromtemp -l0x0009 -removeonly
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:Program FilesCommon FilesSymantec SharedSymSetup{2D617065-1C52-4240-B5BC-C0AE12157777}_1_3_0_24{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Add-on Pack (Symantec Corporation) --> "C:Program FilesCommon FilesSymantec SharedSymSetup{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}_1_1_0_38{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}.exe" /X
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4E9E-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security 2005 --> C:Program FilesCommon FilesSymantec SharedSymSetupTemp{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton Internet Security Bonus Pack --> MsiExec.exe /I{D4BB907A-623E-4F07-8787-041ABAE088E4}
Parental Control --> MsiExec.exe /I{66B9BD1F-4189-4f35-BD82-9948720A04CF}
PowerDVD --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Recordpad --> C:Program FilesNCH Swift SoundRecordpaduninst.exe
Safari --> MsiExec.exe /I{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}
SoundMAX --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime1050Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{F0A37341-D692-11D4-A984-009027EC0A9C}setup.exe" -l0x9 -removeonly
SoundTaxi 1.3.1 --> "C:Program FilesSoundTaxiunins000.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spyware Doctor 6.0 --> C:Program FilesSpyware Doctorunins000.exe /LOG
StuffIt 12 --> MsiExec.exe /X{9ED3C484-D002-4D4D-9BF3-C3DF9048EE7D}
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Switch --> C:Program FilesNCH Swift SoundSwitchuninst.exe
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
Symantec Technical Support Web Controls --> MsiExec.exe /X{20C53FA2-4307-4671-A93F-9463B29DFCF1}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
TextPad 5 --> MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
Viewpoint Media Player --> C:Program FilesViewpointViewpoint Media PlayermtsAxInstaller.exe /u
WavePad Uninstall --> C:Program FilesNCH Swift SoundWavePaduninst.exe
Windows Essentials Media Codec Pack 1.0 --> C:Program FilesEssentials Codec Packuninst.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:WINDOWS$NtUninstallWMFDist11$spuninstspuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type5567 / Error
Event Submitted/Written: 07/23/2008 07:57:46 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type5566 / Error
Event Submitted/Written: 07/23/2008 07:57:46 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type5565 / Error
Event Submitted/Written: 07/23/2008 07:57:46 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type5534 / Error
Event Submitted/Written: 07/22/2008 06:59:43 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ccapp.exe, version 106.3.2.7, faulting module asengbay.dll, version 2007.1.1.30, fault address 0x0000c371.
Processing media-specific event for [ccapp.exe!ws!]

Event Record #/Type5533 / Error
Event Submitted/Written: 07/22/2008 06:58:53 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application OUTLOOK.EXE, version 11.0.8217.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12267 / Warning
Event Submitted/Written: 07/23/2008 07:34:11 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type12249 / Warning
Event Submitted/Written: 07/23/2008 09:58:50 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type12248 / Warning
Event Submitted/Written: 07/23/2008 08:00:43 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type12247 / Warning
Event Submitted/Written: 07/23/2008 07:05:19 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type12246 / Warning
Event Submitted/Written: 07/23/2008 06:30:14 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-23 22:42:17 ------------

And this is the Kaspersky Scan results - I know what the Loxxee ones are:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 24, 2008 03:23:41
Records in database: 1000628
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:
C:
D:
F:

Scan statistics:
Files scanned: 239845
Threat name: 4
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 03:15:17


File name / Threat name / Threats count
c:windowssystem32etgndg.dll/c:windowssystem32etgndg.dll Infected: Trojan-Spy.Win32.Loxxee.b 11
c:windowssystem32wdrddr.dll/c:windowssystem32wdrddr.dll Infected: Trojan-Spy.Win32.Loxxee.a 2
C:i3868d3d8d3d.dat Infected: Trojan-Spy.Win32.Loxxee.a 1
C:i386osddsd.dll Infected: Trojan-Spy.Win32.Loxxee.b 1
C:Program FilesNorton Internet SecurityNorton AntiVirusQuarantine09752FB2.cab Infected: not-a-virus:Downloader.Win32.WinFixer.ar 1
C:Program FilesNorton Internet SecurityNorton AntiVirusQuarantine1D416494.zip Infected: Exploit.Java.Gimsh.b 1
C:Program FilesNorton Internet SecurityNorton AntiVirusQuarantine1F701F6F.dll Infected: Trojan-Spy.Win32.Loxxee.a 1
C:Program FilesNorton Internet SecurityNorton AntiVirusQuarantine30057E0D.dat Infected: Trojan-Spy.Win32.Loxxee.a 1
C:Program FilesNorton Internet SecurityNorton AntiVirusQuarantine4D753BB3.zip Infected: Exploit.Java.Gimsh.b 1
C:WINDOWSsystem32etgndg.dll Infected: Trojan-Spy.Win32.Loxxee.b 1
C:WINDOWSsystem32wdrddr.dll Infected: Trojan-Spy.Win32.Loxxee.a 1

The selected area was scanned.

Merged posts. ~ OB

Edited by Orange Blossom, 24 July 2008 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 02 August 2008 - 10:49 PM

Hello Lisa,

And this is the Kaspersky Scan results - I know what the Loxxee ones are:

You lost me. Are you saying you added them or that you see they are trojans.
Kaspersky says they are Trojan-Spy.Win32.Loxxee.b

You have some suspicious files we need to check.

You will need to see hidden files, so follow these directions:
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\nocaquun.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\cumaquop.exe

Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

***************

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report, Virus Scan results and a fresh DSS Main.txt in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 02 August 2008 - 10:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lisa777

lisa777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 03 August 2008 - 12:55 AM

QUOTE
And this is the Kaspersky Scan results - I know what the Loxxee ones are:

You lost me. Are you saying you added them or that you see they are trojans.
Kaspersky says they are Trojan-Spy.Win32.Loxxee.b



SifuMike,

The looxsee ones are a keystoke program I have on my pc for monitoring my kids...it works well but is always seen as a trojan by any scans...I've been using this for about three years and never got the "spam" warning from my ISP before...this is why I think its the image that my kids got from IM that lead to this problem (of course, I could be wrong)....also, if it helps...I see no system slow downs, no other problems using my pc at all. I use my pc to VPN/Remote into work and school daily with no problems with connections and also do varoius FTP transfers for website maintaince...it's just my ISP complaining that I seem to be sending spam lately...never had a prob before.

Below is the first scan you've asked for C:\WINDOWS\system32\nocaquun.exe..the second one..C:\WINDOWS\system32\cumaquop.exe...this file could not be found...I have stopped here just in case there is a problem at this point...

BTW...thanks for your help..let me know what to do next when you can....THANKS!! :thumbsup:


SCAN FROM http://www.virustotal.com/....C:\WIND...92;nocaquun.exe


Virustotal. MD5: eaadbd2b7ad0771395e1d63fa4d2b588 Backdoor:W32/Agent.DEU Backdoor:Win32/Oderoor.gen!D BDS/Moo.144384
| עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands |
Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch |
Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates
the quick detection of viruses, worms, trojans, and all kinds of malware
detected by antivirus engines. More information...
File nocaquun.exe received on 07.26.2008 15:39:22 (CET)
Current status: finished

Result: 14/35 (40.00%)
Compact Print results
AntivirusVersionLast UpdateResult
AhnLab-V3---
AntiVir--BDS/Moo.144384
Authentium---
Avast--Win32:Trojan-gen {Other}
AVG--SHeur.BWNZ
BitDefender---
CAT-QuickHeal--Backdoor.Moo.14
ClamAV---
DrWeb---
eSafe--Suspicious File
eTrust-Vet---
Ewido---
F-Prot---
F-Secure--Backdoor:W32/Agent.DEU
Fortinet---
GData--Backdoor.Win32.IRCBot.ekx
Ikarus--Backdoor.Win32.Oderoor.D
Kaspersky--Backdoor.Win32.IRCBot.ekx
McAfee---
Microsoft--Backdoor:Win32/Oderoor.gen!D
NOD32v2---
Norman---
Panda---
PCTools---
Prevx1--Cloaked Malware
Rising---
Sophos---
Sunbelt--Backdoor.Moo
Symantec---
TheHacker---
TrendMicro--PAK_Generic.001
VBA32---
ViRobot---
VirusBuster---
Webwasher-Gateway--Trojan.Backdoor.Moo.144384
Additional information
MD5: eaadbd2b7ad0771395e1d63fa4d2b588
SHA1: 8546cbb82c4d41fa20cd6b481bded67f6d753168
SHA256: 1296d9189d5cc031b052fdd407e4b3e4e0ffbf34b44f392bbfe37cc5b4cd2283
SHA512:
06fbd8a7860492f0ba1aae98e69905cd4790331c16b5b3d6ce336863f54dad6b864210182ebe4a3d886d9d0f77c410a3191a4a1a91f1012f1b91bc4ac3581eae

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are
no guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee the
harmlessness of a file. Currently, there is not any solution that offers a 100%
effectiveness rate for detecting viruses and malware. VirusTotal © Hispasec
Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy
Policy

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 03 August 2008 - 11:09 AM

Hi lisa777,

No problem. Please do the Malwarebytes' Anti-Malware scan and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 lisa777

lisa777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 03 August 2008 - 02:41 PM

Here are the Malware and DSS scan results:

Malwarebytes' Anti-Malware 1.24
Database version: 1020
Windows 5.1.2600 Service Pack 2

2:32:13 PM 8/3/2008
mbam-log-8-3-2008 (14-32-13).txt

Scan type: Quick Scan
Objects scanned: 97829
Time elapsed: 34 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.


Deckard's System Scanner v20071014.68
Run by Parents on 2008-08-03 14:35:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Parents.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:36 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Parents\My Documents\SoundTaxi\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Parents.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: IMHelper Class - {36E359F2-0C67-4eac-880A-E10D8CBDDC54} - c:\windows\system32\wdrddr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pypu] C:\WINDOWS\system32\cumaquop.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-823518204-1547161642-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Children')
O4 - HKUS\S-1-5-21-823518204-1547161642-725345543-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Children')
O4 - HKUS\S-1-5-21-823518204-1547161642-725345543-1004\..\Run: [Aim6] (User 'Children')
O4 - HKUS\S-1-5-18\..\Run: [pypu] C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\cumaquop.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [pypu] C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\cumaquop.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.doralusa.com/dana-cached/setup/...perSetupSP1.cab
O21 - SSODL: SysTrayGUID - {342D5ACA-6747-4740-BE55-12D6966E6534} - c:\windows\system32\emlded.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: bcveServ (ysuyacufefoau532) - Unknown owner - C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\nocaquun.exe (file missing)

--
End of file - 13009 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 13:34:31 0 d-------- C:\Documents and Settings\Parents\Application Data\Malwarebytes
2008-08-03 13:34:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 13:34:26 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-07-24 01:08:56 0 d-------- C:\Documents and Settings\Parents\Application Data\yoclient
2008-07-23 21:58:28 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-23 21:58:18 0 d-------- C:\Program Files\Spyware Doctor
2008-07-23 21:58:18 0 d-------- C:\Documents and Settings\Parents\Application Data\PC Tools
2008-07-23 21:25:38 0 d-------- C:\Program Files\Trend Micro
2008-07-18 15:52:39 0 d-------- C:\Documents and Settings\Children\Application Data\AdobeUM
2008-07-17 23:19:40 144384 --a------ C:\WINDOWS\system32\nocaquun.exe
2008-07-16 19:09:27 0 d-------- C:\Program Files\Three Rings Design
2008-07-13 15:29:48 32 -ra------ C:\Documents and Settings\All Users\hash.dat
2008-07-13 15:24:45 0 d-------- C:\Documents and Settings\Children\Application Data\yoclient
2008-07-08 16:53:59 0 d-------- C:\Documents and Settings\Children\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-08-03 13:35:28 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 16:04:13 0 d-------- C:\Program Files\Lx_cats
2008-07-31 14:00:51 0 d-------- C:\Documents and Settings\Parents\Application Data\Juniper Networks
2008-07-22 18:49:30 0 d-------- C:\Program Files\Norton 360
2008-07-17 00:52:47 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-16 23:05:44 0 d-------- C:\Program Files\iTunes
2008-07-16 23:05:27 0 d-------- C:\Program Files\iPod
2008-07-16 23:04:04 0 d-------- C:\Program Files\QuickTime
2008-07-16 22:56:55 0 d-------- C:\Program Files\Safari
2008-06-13 00:37:27 0 d-------- C:\Documents and Settings\Parents\Application Data\Viewpoint
2008-06-11 10:17:41 0 d-------- C:\Program Files\Napster
2008-06-10 03:03:13 0 d-------- C:\Program Files\Microsoft Works
2008-06-06 21:37:07 0 d-------- C:\Program Files\Java
2008-06-04 18:59:47 0 d-------- C:\Documents and Settings\Parents\Application Data\Macromedia
2008-06-04 18:59:47 0 d-------- C:\Documents and Settings\Parents\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36E359F2-0C67-4eac-880A-E10D8CBDDC54}]
04/16/2007 10:52 AM 81920 --a------ c:\windows\system32\wdrddr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" []
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [04/23/2008 02:08 AM]
"@"="" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [05/01/2006 11:07 AM]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [05/09/2008 02:37 PM]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [09/30/2005 11:49 AM]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [04/19/2006 10:57 AM]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [02/24/2006 06:07 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 08:54 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [04/08/2007 11:44 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"pypu"="C:\WINDOWS\system32\cumaquop.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"pypu"=C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\cumaquop.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2/15/2008 4:59:42 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [7/2/2007 4:58:10 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysTrayGUID"= {342D5ACA-6747-4740-BE55-12D6966E6534} - c:\windows\system32\emlded.dll [04/16/2007 10:52 AM 339968]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

*Newly Created Service* - COMHOST
*Newly Created Service* - MBAMSWISSARMY



-- End of Deckard's System Scanner: finished at 2008-08-03 14:35:49 ------------

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 03 August 2008 - 03:13 PM

Hi Lisa,

We have another file to check.
You will need to see hidden files, so follow these directions:

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'



Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\windows\system32\emlded.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 03 August 2008 - 03:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 lisa777

lisa777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 03 August 2008 - 05:12 PM

Virus Total scan 8/3:

Result: 4/36 (11.12%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.7.29.1 2008.08.02 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.08.03 -
Avast 4.8.1195.0 2008.08.03 Win32:Loxxee-D
AVG 8.0.0.156 2008.08.02 -
BitDefender 7.2 2008.08.03 -
CAT-QuickHeal 9.50 2008.08.02 -
ClamAV 0.93.1 2008.08.03 -
DrWeb 4.44.0.09170 2008.08.03 -
eSafe 7.0.17.0 2008.08.03 -
eTrust-Vet 31.6.6002 2008.08.02 -
Ewido 4.0 2008.08.03 -
F-Prot 4.4.4.56 2008.08.03 -
F-Secure 7.60.13501.0 2008.08.03 -
Fortinet 3.14.0.0 2008.08.03 -
GData 2.0.7306.1023 2008.08.03 Win32:Loxxee-D
Ikarus T3.1.1.34.0 2008.08.03 -
K7AntiVirus 7.10.402 2008.08.02 -
Kaspersky 7.0.0.125 2008.08.03 -
McAfee 5352 2008.08.01 -
Microsoft 1.3807 2008.08.03 -
NOD32v2 3322 2008.08.03 -
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.03 Suspicious file
PCTools 4.4.2.0 2008.08.03 -
Prevx1 V2 2008.08.04 -
Rising 20.55.62.00 2008.08.03 -
Sophos 4.31.0 2008.08.03 -
Sunbelt 3.1.1537.1 2008.08.01 Looxee
Symantec 10 2008.08.03 -
TheHacker 6.2.96.392 2008.08.02 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.02 -
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.08.03 -
Webwasher-Gateway 6.6.2 2008.08.03 -
Additional information
File size: 339968 bytes
MD5...: 2d7d66169e861f07208d88c14c3717fe
SHA1..: 2d51226b5573da5a111471308ad0651333597d14
SHA256: 6d6fb27c7f5a926ec34b0ac8886d9687f2cd8b3b3ba448383bacf481acb77682
SHA512: 1cf49345e426f66fd35884f93f965ed8cbbfe3920e41f22fe554be75d7637e3d
9b2e6712f587ba958dcfbef5ab451b0bdcec46a866bec0f0d69921a5f39c6095
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100223c6
timedatestamp.....: 0x42e6993f (Tue Jul 26 20:12:47 2005)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3931e 0x3a000 6.56 a863d1fabeb5edaabaa805df35a457af
.orpc 0x3b000 0x73 0x1000 0.29 ce220085ac1b8f81e3f21dbdeb0a4551
.rdata 0x3c000 0xaffd 0xb000 5.21 74906e1aff7b391baefab77cada5f17a
.data 0x47000 0x66b4 0x3000 3.71 391368f2d92a4760b873080efb4f592f
.rsrc 0x4e000 0x1070 0x2000 2.92 7b1ef84ed9e32621956b602c2f837994
.reloc 0x50000 0x662a 0x7000 4.04 2a47622b24bcb63a5c0246fc9d0530fa

( 13 imports )
> RPCRT4.dll: UuidCreate, NdrCStdStubBuffer2_Release, NdrDllCanUnloadNow, IUnknown_QueryInterface_Proxy, IUnknown_AddRef_Proxy, IUnknown_Release_Proxy, NdrOleAllocate, NdrOleFree, NdrStubForwardingFunction
> MPR.dll: WNetGetUserA
> WININET.dll: InternetGetConnectedState
> KERNEL32.dll: SetLastError, lstrcmpA, lstrcpyA, EnumResourceLanguagesA, ConvertDefaultLocale, GlobalDeleteAtom, GetCurrentThread, GlobalAddAtomA, FindNextFileA, FileTimeToSystemTime, FileTimeToLocalFileTime, FreeResource, lstrcmpW, lstrcatA, GlobalFindAtomA, GlobalGetAtomNameA, LocalAlloc, GlobalReAlloc, GlobalHandle, TlsGetValue, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, SetErrorMode, WritePrivateProfileStringA, GlobalFlags, ReadFile, WriteFile, SetFilePointer, FlushFileBuffers, GlobalFree, SetEndOfFile, GetFullPathNameA, GetCPInfo, GetOEMCP, ExitProcess, RtlUnwind, GetSystemTimeAsFileTime, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, HeapReAlloc, GetTimeFormatA, GetDateFormatA, GetCommandLineA, TerminateProcess, HeapSize, QueryPerformanceCounter, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, SetUnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, UnhandledExceptionFilter, GetDriveTypeA, IsBadReadPtr, IsBadCodePtr, SetStdHandle, SetEnvironmentVariableA, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, GetComputerNameA, GetWindowsDirectoryA, CompareStringW, CompareStringA, GetVersion, OpenProcess, GetCurrentDirectoryA, GetTempFileNameA, GetSystemDirectoryA, SystemTimeToFileTime, SetFileTime, GetFileSize, CreateFileA, GetFileTime, FindFirstFileA, FindClose, Sleep, DeleteFileA, MoveFileA, SetPriorityClass, CopyFileA, CreateProcessA, CreateEventA, WaitForSingleObject, GetProcAddress, GetCurrentThreadId, HeapAlloc, GetCurrentProcess, FlushInstructionCache, GetExitCodeThread, CloseHandle, CreateThread, SetThreadPriority, ResumeThread, LoadLibraryA, GetCurrentProcessId, GetTickCount, GetModuleHandleA, LoadLibraryExA, FreeLibrary, GetModuleFileNameA, IsDBCSLeadByte, InterlockedDecrement, InterlockedIncrement, lstrcpynA, lstrcmpiA, lstrlenA, GetProcessHeap, HeapFree, GetLastError, DeleteCriticalSection, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, RaiseException, lstrlenW, MultiByteToWideChar, FindResourceA, LoadResource, LockResource, SizeofResource, WideCharToMultiByte, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange
> USER32.dll: DrawTextExA, GrayStringA, BeginPaint, EndPaint, DestroyMenu, SetPropA, GetPropA, RemovePropA, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, LoadIconA, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetClientRect, GetMenu, GetSysColor, AdjustWindowRectEx, GetClassInfoA, RegisterClassA, SystemParametersInfoA, IsIconic, GetWindowPlacement, CopyRect, PtInRect, GetWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetNextDlgTabItem, EndDialog, GetWindowTextA, DrawTextA, SetFocus, ShowWindow, GetDlgCtrlID, SetWindowTextA, IsDialogMessageA, SendDlgItemMessageA, GetDlgItem, WaitMessage, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, GetActiveWindow, GetKeyState, GetCursorPos, ValidateRect, MessageBoxA, GetParent, IsWindowEnabled, SetCursor, PostQuitMessage, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, RegisterWindowMessageA, SendMessageTimeoutA, GetWindowThreadProcessId, EnableWindow, FindWindowExA, PeekMessageA, DispatchMessageA, GetDC, ReleaseDC, TabbedTextOutA, ClientToScreen, GetWindowRect, TranslateMessage, GetSysColorBrush, WinHelpA, GetCapture, SetWindowPos, GetClassLongA, GetKeyboardState, GetKeyboardLayout, ToAsciiEx, PostMessageA, CreateWindowExA, RegisterClassExA, UnregisterHotKey, CallWindowProcA, BringWindowToTop, RegisterHotKey, LoadCursorA, wsprintfA, GetClassInfoExA, KillTimer, SetTimer, GetWindowLongA, SetWindowLongA, SendMessageA, DefWindowProcA, UnregisterClassA, GetForegroundWindow, GetSystemMetrics, GetDesktopWindow, CharNextA, EnumChildWindows, GetClassNameA, IsWindowVisible, GetLastActivePopup
> GDI32.dll: GetClipBox, SetTextColor, SetBkColor, SaveDC, ScaleWindowExtEx, GetStockObject, CreateBitmap, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, Escape, ExtTextOutA, TextOutA, GetObjectA, SelectPalette, RealizePalette, GetDIBits, GetSystemPaletteEntries, CreatePalette, GetDeviceCaps, CreateDCA, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, BitBlt, DeleteDC, DeleteObject, RectVisible, PtVisible, SetMapMode, RestoreDC, SetWindowExtEx
> WINSPOOL.DRV: ClosePrinter, OpenPrinterA, DocumentPropertiesA
> ADVAPI32.dll: RegEnumKeyExA, RegQueryValueA, RegEnumKeyA, RegOpenKeyA, RegQueryValueExA, RegDeleteKeyA, RegQueryInfoKeyA, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegDeleteValueA
> COMCTL32.dll: -
> SHLWAPI.dll: PathFindExtensionA, PathFindFileNameA
> ole32.dll: CoTaskMemAlloc, CoTaskMemFree, CoTaskMemRealloc, CoCreateInstance, CoInitialize, CoUninitialize
> OLEAUT32.dll: -, -, -, -, -, -, -, -
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 2 exports )
DllCanUnloadNow, DllGetClassObject

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 03 August 2008 - 05:29 PM

Hi Lisa,

I think emlded.dll is part of your looxsee keylogging program


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [pypu] C:\WINDOWS\system32\cumaquop.exe
O4 - HKUS\S-1-5-18\..\Run: [pypu] C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\cumaquop.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [pypu] C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\cumaquop.exe (User 'Default user')
O23 - Service: bcveServ (ysuyacufefoau532) - Unknown owner - C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\nocaquun.exe (file missing)


Close all browsers and other windows except for HijackThis, and click "Fix checked"

Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixService.bat


@echo off
sc stop ysuyacufefoau532
sc delete ysuyacufefoau532
exit

Double click FixService.bat.
It should now look like this icon now.

Posted Image

Now double click this file, won't see much happen.
A window will open and close. This is normal.
A quick flash is about all.
Then you may delete the FixService.bat file we just made.


*******************************************

Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
    (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\nocaquun.exe

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, OTMoveIt2 log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 lisa777

lisa777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 03 August 2008 - 09:45 PM

Updated Java.
Ran Hijackthis--all files listed existed..ran "Fix Checked"
Ran FixService.bat
Ran Oldtimer:

C:\WINDOWS\system32\nocaquun.exe moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08032008_211702

Ran CCleaner on both user accounts...Rebooted.

New Hijackthis log (I ran it again):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:10 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: IMHelper Class - {36E359F2-0C67-4eac-880A-E10D8CBDDC54} - c:\windows\system32\wdrddr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.doralusa.com/dana-cached/setup/...perSetupSP1.cab
O21 - SSODL: SysTrayGUID - {342D5ACA-6747-4740-BE55-12D6966E6534} - c:\windows\system32\emlded.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11688 bytes

My pc seems to be running fine but again, I never noticed it running slow or anything before...

What's next?

Thanks again :thumbsup:

Lisa

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 03 August 2008 - 09:59 PM

Hi Lisa,

Log looks good but I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint


Reboot your computer, post a fresh Hijackthis log for a final check.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 lisa777

lisa777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 03 August 2008 - 11:09 PM

Hi there,

OK,I removed Viewpoint Media Player via the Control Panel but there was no folder-C :\Program Files\Viewpoint

Latest Hijackthis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:06 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: IMHelper Class - {36E359F2-0C67-4eac-880A-E10D8CBDDC54} - c:\windows\system32\wdrddr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.doralusa.com/dana-cached/setup/...perSetupSP1.cab
O21 - SSODL: SysTrayGUID - {342D5ACA-6747-4740-BE55-12D6966E6534} - c:\windows\system32\emlded.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 11510 bytes

Thanks!
Lisa

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 03 August 2008 - 11:19 PM

Hi Lisa,

Your log looks clean! :thumbsup: Good job!

Open OTMoveIt2 and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present.
They are not needed anymore, so OtMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.



Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.




Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 lisa777

lisa777
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 05 August 2008 - 07:33 PM

Everything in the last post has been done...interesting readings...I'll make sure the kids read them too since I'm sure they didn't listen to me the first time anyway :thumbsup:

Thanks for all your help!

Lisa

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 05 August 2008 - 08:14 PM

Thank you for the kind words.. It's always nice to hear that someone appreciates the help we are giving. :thumbsup:

Edited by SifuMike, 05 August 2008 - 08:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 PM

Posted 13 August 2008 - 03:12 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users