Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have the Trojan virus TROJ/RUSTOK-N


  • This topic is locked This topic is locked
8 replies to this topic

#1 pksmale

pksmale

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 04 July 2009 - 07:28 PM

I have run the Norton 360 virus scan and it claims that it has cleaned my machine but I keep getting the message I have an Infostealer but norton 360 cannot remove it. When I check the details it says there are 39 files affected but they all are listed as globalroot\systemroot\system32\msivxrhnyxknaijapxuppxtactueodrhjmewv.dll. When I search for this fill I cannot find it. I tried to attach a copy of these messages but they were to big.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Pete and Joann at 13:05:34.50 on Sat 07/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.263 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
svchost.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech MX620\SetPoint\SetPoint.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Gamevance\gamevance32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pete and Joann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ptd.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {06663b56-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program

files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - c:\program files\gamevance\gamevancelib32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: CInterceptor Object: {38d3fe60-3d53-4f37-bb0e-c7a97a26a156} - c:\program files\pando networks\pando\PandoIEPlugin.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

360\engine\3.0.0.135\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Pando Toolbar BHO: {e3ea4fd1-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Gamevance class: {f02fabcb-92dd-475a-98af-14217bd50746} - c:\program files\gamevance\gvtl.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Pando Toolbar: {e3ea4fd9-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [<NO NAME>]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe

http://www.symantec.com/techsupp/servlet/P...09.0.5.26&b

uild=Symantec&a=00000082.00000045.00000119&b=00000082.000000e6.0000026f&c=00000082.000000e7.0000027c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AudioHQ] c:\program files\creative\sblive\audiohq\AHQTB.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [NWEReboot]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HotSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech

mx620\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} - hxxp://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175478122609
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://sympatico.zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://portal.pplweb.com/nortel_cacheable/NetDirect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://portal.pplweb.com/nortel_cacheable/iewiper.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal.pplweb.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
TCP: NameServer = 85.255.112.21,85.255.112.89
TCP: {EABC79B6-FF8D-4D35-A74D-7CDED2F10D23} = 85.255.112.21,85.255.112.89
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google

toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2007-4-1 9344]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-6-16 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-6-16 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-6-16 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090625.003\IDSXpx86.sys [2009-6-30 276344]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2007-4-1 6656]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2007-4-1 462464]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-2 10384]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-6-16 115560]
R2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2007-4-1 28672]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 tgsrvc_chatsupport.palm.com;SupportSoft Repair Service (chatsupport.palm.com);c:\program

files\chatsupport.palm.com\bin\tgsrvc.exe [2008-1-11 148768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2009-6-30 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090703.049\NAVENG.SYS [2009-7-4 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090703.049\NAVEX15.SYS [2009-7-4 876144]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-6-11 66048]

=============== Created Last 30 ================

2009-06-24 21:19 204,800 a------- c:\windows\IdsRdCli.exe
2009-06-24 21:19 4,608 a------- c:\windows\IdsRCli.exe
2009-06-24 21:19 <DIR> --d----- c:\program files\IDS LLC
2009-06-24 21:18 <DIR> --d----- c:\program files\ACS Inc
2009-06-16 21:58 <DIR> --d--r-- c:\program files\Norton Support
2009-06-16 21:47 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-06-16 21:47 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-16 21:47 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-16 21:47 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-16 21:47 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-16 21:47 <DIR> --d----- c:\program files\Symantec
2009-06-16 21:45 <DIR> --d----- c:\windows\system32\drivers\N360
2009-06-16 21:45 <DIR> --d----- c:\program files\Norton 360
2009-06-16 14:45 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-06-15 15:11 4 a------- c:\windows\system32\MSIVXcount
2009-06-09 15:52 <DIR> -cd-h--- c:\windows\ie8
2009-06-09 15:45 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 15:45 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-04 21:53 26 a------- c:\windows\Zone.Identifier

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-11 15:55 24 a------- C:\DUKE3D.BAT
2008-07-21 21:02 2,707 ac-sh--- c:\windows\system32\dllcache\smdata32\odTxt.dat
2008-07-19 16:10 5 ac-sh--- c:\windows\system32\dllcache\smdata32\onfy_.dll

============= FINISH: 13:06:19.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:12 PM

Posted 10 July 2009 - 10:16 PM

Hello pksmale,

Uninstall these old versions of Java, as they attract malware
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1


***************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

***************


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 10 July 2009 - 10:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 pksmale

pksmale
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 17 July 2009 - 08:51 PM

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
Norton360
Norton360
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Java™ 6 Update 14
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Norton ccSvcHst.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 6 seconds.
`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:12 PM

Posted 17 July 2009 - 09:22 PM

pksmale,

You foget to post the Malwarebytes log and the Hijackthis log.

If you dont have Hijackthis installed, then do this:
1. Download HijackThis here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.
Please post it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 pksmale

pksmale
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 18 July 2009 - 06:59 AM

I will install hijackthis next and post the file as soon as i get it.


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/18/2009 7:27:25 AM
mbam-log-2009-07-18 (07-27-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152225
Time elapsed: 2 hour(s), 55 minute(s), 52 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 23
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 25
Files Infected: 173

Memory Processes Infected:
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\gamevancetext.linker (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b0f8bcab-09bf-4103-9d46-ad55988990e1} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{243361a8-3697-4811-a74b-1be379caa00e} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e46c1720-2b1b-429b-8600-a96a39f981bb} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevancetext.linker.1 (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/WINDOWS/downloaded program files/PiratePoppers.1.0.0.39.dll (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{38d97cce-7243-4b6e-b6a8-dd872ad3eb33} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6868afe5-f258-47dc-bc37-0821f96dc1d2} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{eabc79b6-ff8d-4d35-a74d-7cded2f10d23}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{eabc79b6-ff8d-4d35-a74d-7cded2f10d23}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{eabc79b6-ff8d-4d35-a74d-7cded2f10d23}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Gamevance (Adware.Gamevance) -> Delete on reboot.
C:\WINDOWS\system32\dllcache\smdata32 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\fxddsk (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\inf0z (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\msn (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\remdsk (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\Temporary Internet Files (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa03 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa05 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa06 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa07 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa10 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01New_arquivos (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\tr4ckd (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
c:\program files\gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\program files\gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\program files\gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\program files\gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\odTxt.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\olstscn.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\onfy_.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\ozipmrrtrk.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\sett1ngs.s0l (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\data.rar (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02\02.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02\02a.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa02\index01.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa03\03.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa03\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa03\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa03\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa03\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\04.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\erro01.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\login.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\menu.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa04\status.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa05\05.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa05\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa05\erro.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa05\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa05\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa06\06.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa06\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa06\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa06\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa07\07.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa07\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa07\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa07\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa07\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08\08.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08\08a.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa08\index01.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\09.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\09a.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index01.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\064528-banner-240x60.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\clearpixel.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\common.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\iconcontactus.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\MTWebBankLogo.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\MT_FooterLogo.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\RetailStyle.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\SignOn.htm (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa09\index_arquivos\wbksignonbanner2.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa10\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\11.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\11a.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\go_Button(1).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\go_Button.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\house.jpg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\ice.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive(1).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive(2).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive(3).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive(4).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive(5).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive(6).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive(7).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\inactive.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\mainstyle-pt.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\pt-personalfinance.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\PTDateFormats.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\PTPortletServices.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\PTRoboHelp.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\PTU-Date-pt.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\PTU-Number-pt.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\PTUtil.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\signon_Button.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\small-short-logo.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\speedBump.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index01new_arquivos\Thumbs.db (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\alert_pf.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\bt_go.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\go_Button(1).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\go_Button.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\hb_Q108_my_cause_PF_branding.jpg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\house.jpg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\ice.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\inactive(1).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\inactive(2).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\inactive(3).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\inactive(4).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\inactive(5).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\inactive(6).gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\inactive.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\landing.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\logo-med.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\mainstyle-pt.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\PTDateFormats.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\PTPortletServices.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\PTRoboHelp.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\PTU-Date-pt.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\PTU-Number-pt.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\PTUtil.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\SetCookie.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\signon_Button.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\sp.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\speedBump.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa11\index_arquivos\Thumbs.db (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\12.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\12a.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\CSS.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\index01.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\cinza.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_01.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_02.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_03.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_04.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_05.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_06.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_07.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_08.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_09.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_10.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_11.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_12.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_13.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\index_14.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\spacer.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa12\images\Thumbs.db (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\13.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\13a.swf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\erro.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\erro.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\flash.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index01.html (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\btnDownArrow.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\btnRightArrow.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\btnUpArrow.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\loadMedia.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\screen.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\securityLock.gif (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\Site.css (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\smdata32\temporary internet files\empresa13\index_arquivos\wtbase.js (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\downloaded program files\PiratePoppers.1.0.0.39.dll (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\downloaded program files\PiratePoppers.1.0.0.39.inf (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Quarantined and deleted successfully.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:12 PM

Posted 18 July 2009 - 09:34 AM

Hi pksmale ,

Please post the Hijackthis log.:thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 pksmale

pksmale
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 18 July 2009 - 11:47 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:12 PM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Logitech MX620\SetPoint\SetPoint.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pete and Joann\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptd.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...0000e7.0000027c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HotSync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech MX620\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175478122609
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/amun...mjolauncher.cab
O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://portal.pplweb.com/nortel_cacheable/NetDirect.cab
O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://portal.pplweb.com/nortel_cacheable/iewiper.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://portal.pplweb.com/dana-cached/setup...perSetupSP1.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe

--
End of file - 12743 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:12 PM

Posted 18 July 2009 - 12:31 PM

Hi pksmale,

You have a nasty rootkit so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Norton 360 Antivirus before running ComboFix, as it will prevent it from running.

To disable NORTON 360
Right-click the Norton 360 icon in the system tray and select Open Tasks and
Settings Window
.
On the right side, under Settings, click on Change advanced settings.
Next, click on the Virus & Spyware Protection Settings.
Uncheck Turn on Auto-Protect and select Apply.
You will be asked to select a time for Norton to reactivate.
Choose Until I turn it back on.
You can re-enable after the malware has been removed from your machine.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:12 PM

Posted 24 July 2009 - 10:16 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users