Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect that Virtumonde is behind this


  • This topic is locked This topic is locked
9 replies to this topic

#1 xp2004

xp2004

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 22 October 2008 - 04:37 PM

Hi,

I foolishly opened an executable file yesterday (Oct 21, 2008) and after a few minutes my taskbar and the icons on my desktop started to disappear and then appear again and again. I still had internet access and did a quick research about the behavior. One of the proposed solutions was to download and run Super AntiSpyware. It detected a whole bunch of Virtumonde files.

Here's the log file from Super AntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/21/2008 at 08:22 PM

Application Version : 4.21.1004

Core Rules Database Version : 3603
Trace Rules Database Version: 1589

Scan type : Complete Scan
Total Scan Time : 01:07:25

Memory items scanned : 430
Memory threats detected : 2
Registry items scanned : 9417
Registry threats detected : 11
File items scanned : 52631
File threats detected : 241

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\MLJCULEE.DLL
C:\WINDOWS\SYSTEM32\MLJCULEE.DLL
C:\WINDOWS\SYSTEM32\VTUKICVV.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\JKKJCCAY.DLL
C:\WINDOWS\SYSTEM32\JKKJCCAY.DLL

Trojan.Vundo-Variant/NextGen
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3439F1D2-D422-40BA-98A2-090BBA390E11}
HKCR\CLSID\{3439F1D2-D422-40BA-98A2-090BBA390E11}
HKCR\CLSID\{3439F1D2-D422-40BA-98A2-090BBA390E11}\InprocServer32
HKCR\CLSID\{3439F1D2-D422-40BA-98A2-090BBA390E11}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{420959A7-1B3F-49EE-848E-6DE631A39223}
HKCR\CLSID\{420959A7-1B3F-49EE-848E-6DE631A39223}
HKCR\CLSID\{420959A7-1B3F-49EE-848E-6DE631A39223}\InprocServer32
HKCR\CLSID\{420959A7-1B3F-49EE-848E-6DE631A39223}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{420959A7-1B3F-49EE-848E-6DE631A39223}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mlJCULeE

Adware.Tracking Cookie
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@torontoseeker[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[12].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@clients.pointroll[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fastclick[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.ookla[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[7].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[7].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertising[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@wmvmedialease[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adlegend[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[9].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[10].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.us.e-planning[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@msnportal.112.2o7[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@xiti[1].txt
.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.adcentriconline.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.atwola.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.enhance.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.homemadebleepvideos.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.homemadebleepvideos.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.media.greenshines.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.media.greenshines.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.media.greenshines.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.media.greenshines.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.overture.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.partygaming.122.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.torstardigital.122.2o7.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.twelvefifteen.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.twelvefifteen.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
ad.adition.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
ad.adition.net [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
ad1.clickhype.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
audit.median.hu [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
www6.addfreestats.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
www7.addfreestats.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\74on7bwo.slt\cookies.txt ]
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@networldmedia[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@nextag[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[8].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@legobrandretail.112.2o7[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@legobrandretail.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@nextag[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adcentriconline[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adcentriconline[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adcentriconline[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adcentriconline[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sonyonlineentertainment.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@insightexpressai[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@nextag[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revsci[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.techguy[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.monster[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adcentriconline[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@trafficmp[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@247realmedia[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@247realmedia[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@247realmedia[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@a.websponsors[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@m1.webstats.motigo[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media.mtvnservices[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@vitamine.networldmedia[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@nike.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@technologyquestions[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@guthyrenker.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@smartmoney.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@citi.bridgetrack[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@gamestats[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@foro.sexualidad[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@traffic.buyservices[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@Stats[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stat.dealtime[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.ookla[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.ookla[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.ookla[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.esmas[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@perf.overture[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stats.manticoretechnology[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adinterax[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adinterax[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media6degrees[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@collective-media[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wjlyumdjcbo.stats.esomniture[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@amazonsearsca.122.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@vhost.oddcast[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@buycom.122.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@rogersmedia[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atwola[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@banners.tribute[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@eb.adbureau[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tripod[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atwola[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[10].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[11].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adopt.euroclick[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adopt.euroclick[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@track.bestbuy[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@account.lego[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atwola[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ice.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.us.e-planning[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.terra.com[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@divx.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cgm.adbureau[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[8].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@richmedia.yahoo[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@divx.112.2o7[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.technologyquestions[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[11].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[7].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[11].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adlegend[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adserver[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[10].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@torstardigital.122.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ww3.shoshkeles[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adlegend[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[7].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@torstardigital.122.2o7[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adlegend[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[8].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@torstardigital.122.2o7[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@kontera[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[8].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[7].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[9].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@kontera[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@kontera[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adserver[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@chumtv.122.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertiser[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sales.liveperson[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sales.liveperson[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sales.liveperson[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@msnportal.112.2o7[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@msnportal.112.2o7[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@msnportal.112.2o7[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@meetupcom.122.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sales.liveperson[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@login.tracking101[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media.treehousetv[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@specificclick[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@specificclick[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@specificclick[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@specificclick[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[7].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[8].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[8].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@maxis.112.2o7[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[9].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstnet[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@specificclick[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[9].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[5].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[9].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@chitika[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@chitika[1].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[2].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[6].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[3].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[7].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[4].txt
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[8].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\RemoveRP


After re-booting my machine, the taskbar behavior stopped and everything was fine with it, but the Super AntiSpyware application would throw the following message: "The application or DLL C:\WINDOWS\system32\mlJCULeE.dll is not a valid Windows image. Please check this against your installation diskette" This would happen whenever I tried launching anything from the ObjectDock application as well. These two applications (Super AntiSpyware and ObjectDock) are part of the startup process. I have Tuneup Utilities 2008 and left them out of the startup process. So when I boot my machine, no error is displayed from Super AntiSpyware.

I have noticed that the machine is slower than it was before.

I ran HiJackThis and this is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:54 PM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.sympatico.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {3439F1D2-D422-40BA-98A2-090BBA390E11} - C:\WINDOWS\system32\jkkJccay.dll
O2 - BHO: (no name) - {420959A7-1B3F-49EE-848E-6DE631A39223} - C:\WINDOWS\system32\mlJCULeE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...res/ext360.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.kidsmania.ca/ExentCtl.ocx
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {850F23ED-AC36-4E9D-A5BB-B0AAE453FEAE} (Sympatico E-mail Configuration Tool) - http://upgradecentre.sympatico.ca/controls/emcconfig.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - https://access.cantire.com/qcbin/,DanaInfo=...va+Spider90.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.2/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} (WebBrowserType Class) - http://eserv.sympatico.ca/netassistant/con...adaPortalAX.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.cantire.com/dana-cached/setu...perSetupSP1.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - https://access.cantire.com/Cantire.StoreCom...apubsopenhouse+
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.samsclubphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://samsclub.pnimedia.com/upload/active...upv2.0.0.10.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1321130-1F02-4733-874E-13647A238E23}: NameServer = 206.47.244.42,206.47.244.101,207.164.234.193
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mlJCULeE - C:\WINDOWS\SYSTEM32\mlJCULeE.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 15937 bytes


Please let me know if you need anything else. Any help would be greatly appreciated. Thank you!

BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 23 October 2008 - 04:09 PM

Hello! and welcome to the Bleeping Computer forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


#3 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 23 October 2008 - 04:14 PM

Step 1:
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Step 2:
Run HijackThis, do a system scan and post the following into your next reply:
  • The ComboFix report (C:\ComboFix.txt)
  • The new HijackThis log


#4 xp2004

xp2004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 23 October 2008 - 06:08 PM

Hi,

Thank you for taking a look at my HijackThis log. I downloaded and ran ComboFix.exe. The tool ran and finished as per your instructions, but I just wanted to let you know that when I double clicked the ComboFix.exe icon the same "xxx.dll is not a valid Windows image..." message appeared.

Here's the ComboFix.exe log:

ComboFix 08-10-23.03 - HP_Owner 2008-10-23 18:37:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1659 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\jkkJccay.dll
C:\WINDOWS\system32\mlJCULeE.dll
C:\WINDOWS\system32\yaccJkkj.ini
C:\WINDOWS\system32\yaccJkkj.ini2
D:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 )))))))))))))))))))))))))))))))
.

2008-10-23 08:33 . 2008-10-23 08:33 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-10-22 17:11 . 2008-10-22 17:13 <DIR> d-------- C:\HJT
2008-10-21 22:14 . 2008-10-21 22:14 <DIR> d-------- C:\!KillBox
2008-10-21 20:44 . 2008-10-21 20:44 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AE066C3A9B\Application Data\SUPERAntiSpyware.com
2008-10-21 20:42 . 2004-08-07 17:22 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AE066C3A9B\WINDOWS
2008-10-21 20:42 . 2004-08-08 10:56 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AE066C3A9B\Application Data\Symantec
2008-10-21 20:42 . 2004-08-07 17:59 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AE066C3A9B\Application Data\SampleView
2008-10-21 20:42 . 2008-03-10 08:59 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AE066C3A9B\Application Data\Juniper Networks
2008-10-21 20:42 . 2004-08-07 17:20 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AE066C3A9B\Application Data\Apple Computer
2008-10-21 20:42 . 2008-10-21 20:42 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AE066C3A9B
2008-10-21 19:05 . 2008-10-21 19:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-21 19:05 . 2008-10-21 19:05 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2008-10-21 19:05 . 2008-10-21 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-21 17:17 . 2008-10-21 17:22 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-10-21 17:15 . 2008-10-21 17:15 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-10-21 17:15 . 2008-10-21 17:15 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-10-21 17:14 . 2008-10-21 17:19 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-21 17:14 . 2008-07-06 08:06 1,676,288 --------- C:\WINDOWS\system32\xpssvcs.dll
2008-10-21 17:14 . 2008-07-06 08:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-10-21 17:14 . 2008-07-06 06:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-10-21 17:14 . 2008-07-06 08:06 575,488 --------- C:\WINDOWS\system32\xpsshhdr.dll
2008-10-21 17:14 . 2008-07-06 08:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-10-21 17:14 . 2008-07-06 08:06 117,760 --------- C:\WINDOWS\system32\prntvpt.dll
2008-10-21 17:14 . 2008-07-06 08:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-10-21 17:10 . 2008-10-21 17:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-10-21 17:06 . 2008-10-21 17:06 <DIR> dr-h----- C:\AHCache
2008-10-21 16:12 . 2008-10-21 17:22 <DIR> d-------- C:\Program Files\Uniblue
2008-10-21 16:12 . 2008-10-21 17:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Uniblue
2008-10-21 16:12 . 2008-10-21 16:12 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-14 15:45 . 2008-10-14 15:45 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\DivX
2008-10-14 11:12 . 2008-10-14 11:12 <DIR> d-------- C:\Program Files\Garmin GPS Plugin
2008-10-14 11:12 . 2008-10-21 14:03 <DIR> d-------- C:\Garmin
2008-10-14 11:12 . 2008-10-15 20:52 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\GARMIN
2008-10-13 12:18 . 2008-10-13 17:55 <DIR> d-------- C:\Program Files\ControlMK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 22:42 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-10-23 17:32 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Skype
2008-10-22 20:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-21 23:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 22:41 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-10-21 21:15 --------- d-----w C:\Program Files\MSBuild
2008-10-16 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-16 00:47 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-10-06 23:03 --------- d-----w C:\Program Files\DivX
2008-09-23 19:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-20 23:27 --------- d-----w C:\Program Files\ATI
2008-09-20 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-09-20 23:17 --------- d-----w C:\Program Files\ATI Technologies
2008-09-19 02:12 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-09-19 02:12 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\SystemRequirementsLab
2008-09-18 15:03 --------- d-----w C:\Program Files\Flock
2008-09-18 12:52 --------- d-----w C:\Program Files\LucasArts
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-07-26 23:13 3,885 ----a-w C:\WINDOWS\viassary-hp.reg
2007-02-14 19:36 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2005-01-30 18:32 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Uniblue RegistryBooster 2009"="C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 81920]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 586896]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 C:\WINDOWS\AGRSMMSG.exe]
"WD Button Manager"="WDBtnMgr.exe" [2008-05-07 C:\WINDOWS\system32\WDBtnMgr.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"Cache Cleaner"=C:\Documents and Settings\HP_Owner\Application Data\Juniper Networks\Cache Cleaner 6.0.0\dsCacheCleaner.exe -action delete
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"IPInSightMonitor 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
"IPInSightLAN 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"AlcWzrd"=ALCWZRD.EXE
"Alcmtr"=ALCMTR.EXE
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"HPHUPD06"=c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Motive SmartBridge"=C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe"
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe"
"SansaDispatch"=C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Documents and Settings\\HP_Owner\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 NEOFLTR_600_12359;Juniper Networks TDI Filter Driver (NEOFLTR_600_12359);C:\WINDOWS\system32\Drivers\NEOFLTR_600_12359.SYS [2007-11-27 64160]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 EraserUtilDrvI7;EraserUtilDrvI7;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [2008-09-02 99376]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\DRIVERS\wdcsam.sys [2006-09-07 10112]
S3 EraserUtilDrv1061;EraserUtilDrv1061;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv1061.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-10 307968]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a9e6362-d698-11dc-a67c-00112f468cf4}]
\Shell\AutoRun\command - G:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2c06652-bb12-11dc-a62f-00112f468cf4}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-10-23 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 14:24]

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2005-10-03 C:\WINDOWS\Tasks\Easy Internet Sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe [2004-06-22 00:19]

2008-10-19 C:\WINDOWS\Tasks\Symantec Drmc.job
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 05:48]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3439F1D2-D422-40BA-98A2-090BBA390E11} - C:\WINDOWS\system32\jkkJccay.dll
BHO-{420959A7-1B3F-49EE-848E-6DE631A39223} - C:\WINDOWS\system32\mlJCULeE.dll
ShellExecuteHooks-{420959A7-1B3F-49EE-848E-6DE631A39223} - C:\WINDOWS\system32\mlJCULeE.dll
Notify-mlJCULeE - mlJCULeE.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\kjxuybmd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_01\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint_03000F10.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 18:45:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-23 18:57:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-23 22:57:40

Pre-Run: 118,309,523,456 bytes free
Post-Run: 118,498,582,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

260 --- E O F --- 2008-10-23 12:34:32


And now here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:07 PM, on 10/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.sympatico.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.kidsmania.ca/ExentCtl.ocx
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {850F23ED-AC36-4E9D-A5BB-B0AAE453FEAE} (Sympatico E-mail Configuration Tool) - http://upgradecentre.sympatico.ca/controls/emcconfig.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - https://access.cantire.com/qcbin/,DanaInfo=...va+Spider90.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.2/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} (WebBrowserType Class) - http://eserv.sympatico.ca/netassistant/con...adaPortalAX.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.cantire.com/dana-cached/setu...perSetupSP1.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - https://access.cantire.com/Cantire.StoreCom...apubsopenhouse+
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.samsclubphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://samsclub.pnimedia.com/upload/active...upv2.0.0.10.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1321130-1F02-4733-874E-13647A238E23}: NameServer = 206.47.244.42,206.47.244.101,207.164.234.193
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 14607 bytes

If you need anything else, please let me know.

Thank you and I hope to hear from you for the next steps.

#5 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 24 October 2008 - 02:51 PM

Hi,

Things are looking better, are you still getting errors?

Step 1:
Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Step 2:
Run HijackThis, do a system scan and post the following into your next reply:
  • The NOD32 results
  • A new HijackThis log
Also let me know how your computer is running

#6 xp2004

xp2004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 25 October 2008 - 12:19 AM

Hi,

Things are definitely better, the errors are gone.

Here are the logs that you requested:


EsetOnlineScanner log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3553 (20081024)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=b07411d661132f4d8a7894edb671ea66
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-25 05:13:19
# local_time=2008-10-25 01:13:19 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1044282
# found=13
# scan_time=8271
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-30d5aac8-7dff0a5e.class Java/TrojanDownloader.OpenStream.NAC trojan DBEE24E93B7EFBC279DAA14F64E9575E
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-43ab9b4d-500b5984.zip Java/Binny.A trojan DF5D24AB5A3522893E81D7032AE22CA6
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-43ab9b4d-500b5984.zip »ZIP »binny/binny.class Java/Binny.A trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-10f063be-1a729d8b.zip multiple infiltrations 6CB69EED50163CAE09783D1F069BA674
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-10f063be-1a729d8b.zip »ZIP »GetAccess.class Java/TrojanDownloader.OpenConnection.AJ trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-10f063be-1a729d8b.zip »ZIP »Installer.class Java/TrojanDownloader.OpenConnection trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-10f063be-1a729d8b.zip »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-10f063be-1a729d8b.zip »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv662.jar-de8274e-50ead034.zip multiple infiltrations F18EC4EC7C8D32AB85EF26C86A55479B
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv662.jar-de8274e-50ead034.zip »ZIP »Matrix.class a variant of Java/TrojanDownloader.OpenStream.C trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv662.jar-de8274e-50ead034.zip »ZIP »Counter.class Java/ClassLoader.H trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv662.jar-de8274e-50ead034.zip »ZIP »Dummy.class Java/Dummy trojan 00000000000000000000000000000000
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv662.jar-de8274e-50ead034.zip »ZIP »Parser.class Java/ClassLoader.B trojan 00000000000000000000000000000000


New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:42 AM, on 10/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.sympatico.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.kidsmania.ca/ExentCtl.ocx
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {850F23ED-AC36-4E9D-A5BB-B0AAE453FEAE} (Sympatico E-mail Configuration Tool) - http://upgradecentre.sympatico.ca/controls/emcconfig.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - https://access.cantire.com/qcbin/,DanaInfo=...va+Spider90.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.2/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} (WebBrowserType Class) - http://eserv.sympatico.ca/netassistant/con...adaPortalAX.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.cantire.com/dana-cached/setu...perSetupSP1.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - https://access.cantire.com/Cantire.StoreCom...apubsopenhouse+
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.samsclubphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://samsclub.pnimedia.com/upload/active...upv2.0.0.10.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1321130-1F02-4733-874E-13647A238E23}: NameServer = 206.47.244.42,206.47.244.101,207.164.234.193
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 14932 bytes

#7 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 25 October 2008 - 01:08 PM

Things are looking much better from here.

Step 1:
Please download ATF cleaner
Make sure that all browser windows are closed.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Deselect Cookies
Click the Empty Selected button.
You can select cookies but you will have to re enter your login details to websites you frequent.
If you use Firefox browserClick Firefox at the top and choose: Select All
Deselect Firefox Cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Deselect Opera Cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Step 2:
Older versions of java have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel > Add/Remove Programs.
  • Check any item with Java Runtime Environment, JRE, J2SE, or Java Webstart in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all installed versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment(JRE) and install it to your computer.


Step 3:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
You can also delete C:\!KillBox and any logs we have produced, and empty your Recycle bin.



Your logs are now clean. :thumbsup:
If you still feel you are having any issues please let me know now, otherwise read through and proceed with the following:


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.
Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.

#8 xp2004

xp2004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 25 October 2008 - 03:28 PM

Hi,

I can't thank you enough for all your help. I have done the remaining steps that you put in your last post and have read the rest of the information. Rest assured I will keep everything updated and will keep scanning daily.

Thank you again and keep up the excellent work!!
:thumbsup:

#9 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 25 October 2008 - 04:06 PM

You're very welcome. :thumbsup:

#10 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 26 October 2008 - 02:04 PM

Glad we could be of some assistance. :thumbsup:

Since this issue appears resolved ... this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users