Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected with Antivirus 2009?


  • Please log in to reply
16 replies to this topic

#1 minwoo718

minwoo718

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 21 February 2009 - 12:07 PM

While trying to watch a video clip one day, I installed an activex control which must have been malicious and installed a virus onto my laptop.
I've tried using Malwarebytes, and it was able to remove many infected files, but two Trojans remain even after multiple cleanings.
Like many other infected users, I have a small red icon on my icon tray, and every once in a while, it will tell me that I am being warned of a security alert. I also get pop-up notifications saying there is a security violation and am asked if I want to run a scan.
I continuously get pop-ups in IE redirecting me to pages linked to anykuy.com.

I'd appreciate any help I can get with this issue. Thank you!

DDS (Ver_09-02-01.01) - NTFSx86
Run by Minna Woo at 11:59:48.23 on Sat 02/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.74 [GMT -5:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\userinit.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Documents and Settings\Minna Woo.YOUR-09DEDAFE33\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Verizon Custom Uninstall Tracking] c:\docume~1\minnaw~1.you\locals~1\temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: GPplayerActiveXCAB - hxxp://music.godpeople.com/gpplayer/GPplayerActiveXCAB.CAB
DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} - hxxp://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {575594D5-8974-4AFE-9919-8FE4AA687DEF} - hxxp://down.hangame.com/iservice/chat/NHNPlayer/nhnplayerx.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://mail.daum.net/hanmail-ax/DaumActiveX/2_0_0_4/DaumActiveX.cab?ver=2,0,0,4
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sa.bcps.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E75386B4-C629-11DB-8338-444553544200} - hxxp://cyimg7.cyworld.nate.com/cymusic/package/cyinstal.cab
DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\minnaw~1.you\applic~1\mozilla\firefox\profiles\jzwilzv5.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_600_12023;Juniper Networks TDI Filter Driver (NEOFLTR_600_12023);c:\windows\system32\drivers\NEOFLTR_600_12023.sys [2007-8-10 63024]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-17 202352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-10-7 133744]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-9 1119888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-10-12 112688]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-18 10664]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060321.005\NAVENG.Sys [2006-5-9 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060321.005\NavEx15.Sys [2006-5-9 750952]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-02-21 11:53 <DIR> --dsh--- c:\documents and settings\minna woo.your-09dedafe33\UserData
2009-02-18 18:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-18 18:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 18:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 18:09 <DIR> a-dshr-- C:\autorun.inf
2009-02-17 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-17 12:53 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-17 12:53 <DIR> --d----- c:\docume~1\minnaw~1.you\applic~1\SUPERAntiSpyware.com
2009-02-17 12:34 5,250 a------- c:\windows\system32\tmp.reg
2009-02-17 12:22 389,120 a------- c:\windows\system32\CF8556.exe
2009-02-17 09:55 <DIR> --d----- c:\docume~1\minnaw~1.you\applic~1\Malwarebytes
2009-02-17 09:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-15 23:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-15 23:40 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-15 23:08 <DIR> --d----- c:\windows\system32\scripting
2009-02-15 23:08 <DIR> --d----- c:\windows\l2schemas
2009-02-15 23:08 <DIR> --d----- c:\windows\system32\en
2009-02-15 23:08 <DIR> --d----- c:\windows\system32\bits
2009-02-15 23:04 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-15 23:00 <DIR> --d----- c:\windows\network diagnostic
2009-02-15 22:55 <DIR> --d----- c:\windows\EHome
2009-01-23 23:24 <DIR> --d----- c:\docume~1\minnaw~1.you\applic~1\Gradekeeper
2009-01-23 23:24 <DIR> --d----- c:\windows\Gradekeeper
2009-01-23 23:24 <DIR> --d----- c:\program files\Gradekeeper

==================== Find3M ====================

2009-02-17 09:50 47,616 a------- c:\windows\system32\userinit.exe
2009-02-15 23:13 86,939 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 12:00:39.04 ===============


EDIT******************

This is what my MBAM log says each time it finds the two files I mentioned.

Malwarebytes' Anti-Malware 1.34
Database version: 1777
Windows 5.1.2600 Service Pack 3

2/21/2009 12:16:49 PM
mbam-log-2009-02-21 (12-16-49).txt

Scan type: Quick Scan
Objects scanned: 75879
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by minwoo718, 21 February 2009 - 12:20 PM.


BC AdBot (Login to Remove)

 


#2 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:37 AM

Posted 04 March 2009 - 11:05 AM

Hello there, welcome to Bleeping Computer!

Sorry for such a long delay, we're all volunteers here, and we have alot of logs to attend to right now.

Since its been a while since your originally posted your log, can you please provide me with a new DDS log.

If you have fixed the problem, or you have someone else assisting you with this log, please let us know so we can move the topic.

Thanks,

Dark Messenger

#3 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 04 March 2009 - 06:13 PM

Hi! I was trying to be patient since I know the tutorial says it could take a few days before a problem is addressed... Thanks for followin up with me. My problem is not resolved, so here's the DDS file again..


DDS (Ver_09-02-01.01) - NTFSx86
Run by Minna Woo at 18:01:31.54 on Wed 03/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.108 [GMT -5:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\userinit.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Documents and Settings\Minna Woo.YOUR-09DEDAFE33\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.xanga.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Verizon Custom Uninstall Tracking] c:\docume~1\minnaw~1.you\locals~1\temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: GPplayerActiveXCAB - hxxp://music.godpeople.com/gpplayer/GPplayerActiveXCAB.CAB
DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} - hxxp://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {575594D5-8974-4AFE-9919-8FE4AA687DEF} - hxxp://down.hangame.com/iservice/chat/NHNPlayer/nhnplayerx.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://mail.daum.net/hanmail-ax/DaumActiveX/2_0_0_4/DaumActiveX.cab?ver=2,0,0,4
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sa.bcps.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E75386B4-C629-11DB-8338-444553544200} - hxxp://cyimg7.cyworld.nate.com/cymusic/package/cyinstal.cab
DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\minnaw~1.you\applic~1\mozilla\firefox\profiles\jzwilzv5.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_600_12023;Juniper Networks TDI Filter Driver (NEOFLTR_600_12023);c:\windows\system32\drivers\NEOFLTR_600_12023.sys [2007-8-10 63024]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-17 202352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-10-7 133744]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-9 1119888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-10-12 112688]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-18 10664]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060321.005\NAVENG.Sys [2006-5-9 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060321.005\NavEx15.Sys [2006-5-9 750952]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-02-21 11:53 <DIR> --dsh--- c:\documents and settings\minna woo.your-09dedafe33\UserData
2009-02-18 18:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-18 18:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 18:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 18:09 <DIR> a-dshr-- C:\autorun.inf
2009-02-17 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-17 12:53 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-17 12:53 <DIR> --d----- c:\docume~1\minnaw~1.you\applic~1\SUPERAntiSpyware.com
2009-02-17 12:34 5,250 a------- c:\windows\system32\tmp.reg
2009-02-17 12:22 389,120 a------- c:\windows\system32\CF8556.exe
2009-02-17 09:55 <DIR> --d----- c:\docume~1\minnaw~1.you\applic~1\Malwarebytes
2009-02-17 09:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-15 23:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-15 23:40 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-15 23:08 <DIR> --d----- c:\windows\system32\scripting
2009-02-15 23:08 <DIR> --d----- c:\windows\l2schemas
2009-02-15 23:08 <DIR> --d----- c:\windows\system32\en
2009-02-15 23:08 <DIR> --d----- c:\windows\system32\bits
2009-02-15 23:04 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-15 23:00 <DIR> --d----- c:\windows\network diagnostic
2009-02-15 22:55 <DIR> --d----- c:\windows\EHome

==================== Find3M ====================

2009-02-17 09:50 47,616 a------- c:\windows\system32\userinit.exe
2009-02-15 23:13 86,939 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 18:02:05.07 ===============




I still see the red circle with a white x on my toolbar. Every now and then, it will tell me I have a security issue.
Pop-ups from anykuy.com still come up also... :thumbup2:

Attached Files



#4 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:37 AM

Posted 05 March 2009 - 09:26 AM

Hi thanks for replying.

Im on my laptop at the minute (as my desktop has decided to kill itself). Ill need some time to look over the log and produce a solution.

Thanks, DM

#5 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:37 AM

Posted 07 March 2009 - 01:21 PM

Very sorry for the delay.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#6 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 08 March 2009 - 09:03 PM

Hello, sorry it's taken me a while. The internet at home is down... :thumbup2:
Here's the scan report...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 08, 2009 20:05:08
Records in database: 1880706
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 78792
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:18:48


File name / Threat name / Threats count
C:\WINDOWS\system32\userinit.exe/C:\WINDOWS\system32\userinit.exe Infected: Trojan-Downloader.Win32.Agent.bhzq 1
C:\Documents and Settings\Minna Woo.YOUR-09DEDAFE33\My Documents\My Music\what are you to me sasha.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\WINDOWS\system32\userinit.exe Infected: Trojan-Downloader.Win32.Agent.bhzq 1

The selected area was scanned.


I hope this helps you! Thank you!

#7 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:37 AM

Posted 10 March 2009 - 07:50 AM

Hi, please make sure you can see you hidden files. For a tutorial on how to do this, please read here

Then navigate to your My Documents\My Music\ folder and locate the what are you to me sasha.mp3 file and delete it by pressing and holding shift and then hit the delete key. This will delete the file and remove it from the recycle bin.

Then please navigate to your System32 folder by going My Computer > WINDOWS > System32 and locate the file userinit.exe and rename it to userinit.old. To do this, right click on the file and choose Rename.

Once you have renamed the file, refresh the page by pressing the F5 button. If you see that a new userinit.exe file has appeared.

If you see a fresh userinit.exe file then reboot. If you do not see the new file then DO NOT reboot, and let me know.

Thanks

DM

#8 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 11 March 2009 - 04:27 PM

Hi!!
I followed your steps and i THINK the problem has been resolved... fingers crossed!
Is it safe to hide the protected files again?

Thank you so much for your help!! :thumbup2:

#9 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:37 AM

Posted 12 March 2009 - 10:17 AM

Hello before you hide the protected files, please delete the userinit.old file by holding Shift and Pressing Delete.

Once deleted, you can hide the protected files again.

Is the computer running fine now? No redirects?

Just to make sure you are all clean, please post hopefully your last DDS log

Thanks, DM

#10 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 12 March 2009 - 05:13 PM

Hi!
I did what you said... here's the log!!


DDS (Ver_09-02-01.01) - NTFSx86
Run by Minna Woo at 18:09:09.95 on Thu 03/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.171 [GMT -4:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Minna Woo.YOUR-09DEDAFE33\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.xanga.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Verizon Custom Uninstall Tracking] c:\docume~1\minnaw~1.you\locals~1\temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: GPplayerActiveXCAB - hxxp://music.godpeople.com/gpplayer/GPplayerActiveXCAB.CAB
DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} - hxxp://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {575594D5-8974-4AFE-9919-8FE4AA687DEF} - hxxp://down.hangame.com/iservice/chat/NHNPlayer/nhnplayerx.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://mail.daum.net/hanmail-ax/DaumActiveX/2_0_0_4/DaumActiveX.cab?ver=2,0,0,4
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sa.bcps.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E75386B4-C629-11DB-8338-444553544200} - hxxp://cyimg7.cyworld.nate.com/cymusic/package/cyinstal.cab
DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_600_12023;Juniper Networks TDI Filter Driver (NEOFLTR_600_12023);c:\windows\system32\drivers\NEOFLTR_600_12023.sys [2007-8-10 63024]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-27 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-17 202352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-10-7 133744]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-9 1119888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-10-12 112688]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-18 10664]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060321.005\NAVENG.Sys [2006-5-9 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060321.005\NavEx15.Sys [2006-5-9 750952]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-27 334984]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-27 198368]

=============== Created Last 30 ================

2009-02-21 12:53 <DIR> --dsh--- c:\documents and settings\minna woo.your-09dedafe33\UserData
2009-02-18 19:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-18 19:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 19:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:09 <DIR> a-dshr-- C:\autorun.inf
2009-02-17 13:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-17 13:53 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-17 13:53 <DIR> --d----- c:\docume~1\minnaw~1.you\applic~1\SUPERAntiSpyware.com
2009-02-17 13:34 5,250 a------- c:\windows\system32\tmp.reg
2009-02-17 13:22 389,120 a------- c:\windows\system32\CF8556.exe
2009-02-17 10:55 <DIR> --d----- c:\docume~1\minnaw~1.you\applic~1\Malwarebytes
2009-02-17 10:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 00:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-16 00:40 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-16 00:08 <DIR> --d----- c:\windows\system32\scripting
2009-02-16 00:08 <DIR> --d----- c:\windows\l2schemas
2009-02-16 00:08 <DIR> --d----- c:\windows\system32\en
2009-02-16 00:08 <DIR> --d----- c:\windows\system32\bits
2009-02-16 00:04 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-16 00:00 <DIR> --d----- c:\windows\network diagnostic
2009-02-15 23:55 <DIR> --d----- c:\windows\EHome

==================== Find3M ====================

2009-02-16 00:13 86,939 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 05:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 01:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 01:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 18:10:38.79 ===============


Thank you!!!!

Attached Files



#11 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:37 AM

Posted 17 March 2009 - 01:59 PM

Hi, very sorry for the delay.

Please delete C:\autorun.inf by going to My Computer and searching for autorun.inf. Select autorun.inf, press and hold shift and then press delete. This will remove the file without sending it to the recycle bin.

Your Norton online security is out of date, it is vital that your keep this up to date. Please update your Norton product, or use one of the following free antivirus and firewalls.

Please see this thread for a list of free antivirus and firewall software.

If you do choose to pick a free AV and Firewall, then please remove Norton Internet Security before you install the new ones.

Let me know when you've updated Norton or installed new antivirus/firewall.

How is the computer running now?

#12 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 21 March 2009 - 02:13 PM

Hi, I did the search for autorun.inf. Lots of files called autorun popped up, and the final one was called autorun.inf.BA2BC853_3054_4145_BEB9_B51B18B1AA56
When I opened the folder that contained this file, I couldn't delete it. Even when right clicking on it, my only options were to copy or extract that file. Is this the correct file that I was supposed to delete? If so, I've been unable to delete it. :thumbup2:

I haven't been able to install one of the recommended programs or upgrade my existing one because of a lack of internet connection for the laptop. I'll get on that soon.

The computer runs fine now-- the only issue I have is that my time on my toolbar is always in military time. It never was before the virus issue, and now I don't know how to change it back to regular AM/PM time. Would the virus have had an effect on the time display, or did I mess something up on my own?

Thanks for the help again.....

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:37 PM

Posted 13 April 2009 - 07:56 AM

Sorry for the late reply.

Are you still in need of assistance?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 13 April 2009 - 09:34 AM

Hello~
As of my last post, I was having trouble deleting the file I was told to delete. I still haven't been able to delete it. Is that critical?
Also, I think I figured out the time display thing, so I'll live with that...
And lastly, I upgraded my Norton anto-virus protection, so that's working well now.

Any insight about deleting the file will be appreciated! :thumbup2: Thanks!

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:37 PM

Posted 13 April 2009 - 06:38 PM

I think I figured out the time display thing, so I'll live with that...

I can fix that for you.
  • Go to Start >Control Panel >Date ,Time and regional settings.
  • Click on Regional and language options.
  • Next to the section that says your regional language (mine is English) click on customise.
  • Click on the Time tab at the top.
  • The next to time format make sure that it looks like this >h:mm:ss tt if it doesn't then change it to that.
  • Then click apply then ok.
  • Then apply then ok again and you should be good to go.
=============

I was having trouble deleting the file I was told to delete

Sure.
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\autorun.inf
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users