Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With I Dont Know What


  • Please log in to reply
13 replies to this topic

#1 osospanky

osospanky

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 06 August 2006 - 12:38 AM

Heya guys,

Having huge issues with a work pc. Clicked on a link from google and managed to get the pc full of spyware/malware. Ive spent the past 2 weeks trying to kill all the stuff off but am having no luck whatsoever. I've run adware, spybo0t s&d, nortons, Macafee, panda online, housecall to name a few. Each time these proggys are run they seem to find a different problem.

I know its had spyware quake, syssecurity.com, bgates and the list goes on. I've researched each one it tells me and have used smitrem, smitfraud, virtumondobegone, vondu and each time it finds and kills the spyware but next time you dial up, you go back to square one, everything's back again.

I'm guessing its hiding somewhere else as something and coming back with each net connection and it's beyond me.

Following is the hijack this log for the pc. I've also included the start up list as well in case that helps. It's a network slave box and the master pc is not infected at all if that helps.

I'd really appreciate your help before the boss fires me :thumbsup:

Tina

Logfile of HijackThis v1.99.1
Scan saved at 1:15:42 AM, on 06/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}\Update.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Backoffice\Desktop\hjthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:5225/ToolboxManager/deviceRegistry
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\System32\vtuurpm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1320 PCL 6 (Copy 1)" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clear Backoffice Flag.lnk = L:\BREEZE\Setup\BATFILES\CLRINUSE.BAT
O4 - Global Startup: Clear All Win32 Flags.lnk = breeze\Setup\Batfiles\Clrusrfl.bat
O4 - Global Startup: Reconnect to POS.lnk = C:\WINDOWS\reconnect.bat
O15 - Trusted Zone: http://www.e-orders.com.au
O15 - Trusted Zone: http://www.e-orders.com.au (HKLM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: vtuurpm - C:\WINDOWS\SYSTEM32\vtuurpm.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




StartupList report, 06/08/2006, 1:16:25 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Backoffice\Desktop\hjthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}\Update.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Backoffice\Desktop\hjthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Backoffice\Start Menu\Programs\Startup]
Clear Backoffice Flag.lnk = L:\BREEZE\Setup\BATFILES\CLRINUSE.BAT

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Clear All Win32 Flags.lnk = breeze\Setup\Batfiles\Clrusrfl.bat
Reconnect to POS.lnk = C:\WINDOWS\reconnect.bat

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HPLJ Config = C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1320 PCL 6 (Copy 1)" -n 1 -l 1033 -sl 120000
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - C:\WINDOWS\System32\vtuurpm.dll - {E521797A-22DE-4B46-8B2F-8E98AB77B942}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - Backoffice.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8113.5201967593

[CSS Web Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
CODEBASE = http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

{00275E5D-0957-3081-1201-04052620003d} = "C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}\Update.exe" mc-110-12-0000272

--------------------------------------------------

End of report, 6,301 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:52 AM

Posted 06 August 2006 - 04:20 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.
You've got the latest Vundo infection i'm afraid.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less - Click OK
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right Click inside the listbox (white box) and click "add more files"
Copy and paste the 2 entries below into the top 2 boxes (no arrows):

--> C:\WINDOWS\System32\vtuurpm.dll
--> C:\WINDOWS\system32\mpruutv.*

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

David

#3 osospanky

osospanky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 06 August 2006 - 11:09 PM

Heya David

I followed the directions to a t but came up with a small hiccup. When i typed in mpruutv.* and clicked on add files and close window it came up with a double of the top file.

I went back and tried to reenter the file name...thinking i may have just got it wrong but same result. Either way the rest of the removal went like clockwork and it seems to have worked thus far. Time will tell tho as I'm not posting this from work.

As you asked ive attached a copy of the new hj this file and startup list as well as a copy of the vundo text.

Norton did find the dialer.trojan bgates(1).exe which im guessing ill have to delete the old fashioned way.

Many thanks for the help,

Tina


Logfile of HijackThis v1.99.1
Scan saved at 1:51:41 PM, on 07/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}\Update.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Backoffice\Desktop\tinas crap\hjthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:5225/ToolboxManager/deviceRegistry
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\System32\vtuurpm.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1320 PCL 6 (Copy 1)" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clear Backoffice Flag.lnk = L:\BREEZE\Setup\BATFILES\CLRINUSE.BAT
O4 - Global Startup: Clear All Win32 Flags.lnk = breeze\Setup\Batfiles\Clrusrfl.bat
O4 - Global Startup: Reconnect to POS.lnk = C:\WINDOWS\reconnect.bat
O15 - Trusted Zone: http://www.e-orders.com.au
O15 - Trusted Zone: http://www.e-orders.com.au (HKLM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





StartupList report, 07/08/2006, 1:52:21 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Backoffice\Desktop\tinas crap\hjthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}\Update.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Backoffice\Desktop\tinas crap\hjthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Backoffice\Start Menu\Programs\Startup]
Clear Backoffice Flag.lnk = L:\BREEZE\Setup\BATFILES\CLRINUSE.BAT

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Clear All Win32 Flags.lnk = breeze\Setup\Batfiles\Clrusrfl.bat
Reconnect to POS.lnk = C:\WINDOWS\reconnect.bat

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HPLJ Config = C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1320 PCL 6 (Copy 1)" -n 1 -l 1033 -sl 120000
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - C:\WINDOWS\System32\vtuurpm.dll (file missing) - {E521797A-22DE-4B46-8B2F-8E98AB77B942}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - Backoffice.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8113.5201967593

[CSS Web Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
CODEBASE = http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

{00275E5D-0957-3081-1201-04052620003d} = "C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}\Update.exe" mc-110-12-0000272

--------------------------------------------------

End of report, 6,396 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 1:04:02 PM 28/07/2006

Listing files found while scanning....

C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 2:39:02 PM 02/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 12:13:04 PM 04/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 1:25:15 PM 07/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\System32\vtuurpm.dll
C:\WINDOWS\System32\vtuurpm.dll Has been deleted!

Performing Repairs to the registry.
Done!

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:52 AM

Posted 07 August 2006 - 04:10 AM

That's great, although there was a hicup, the infection has been removed.

Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#5 osospanky

osospanky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 08 August 2006 - 08:10 PM

Heya again david,

Managed to get the day off work yesterday hence the time till I'm getting back to you.

I had no luck at all with combofix and to add to my woes the whole thing has gone back to where it was originally. I've been hijacked by www.syssecurity.com and norton is finding various problems inclusding bgates.exe and wlzip.exe.

Is there any chance it could be hiding elesewhere in the system? because all the fixes only seem to work till the next time i log on.

Attached is the combofix log you requested as well as hj this log for today.

Thanks,

Tina



Logfile of HijackThis v1.99.1
Scan saved at 10:50:20 AM, on 09/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}\Update.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\ismon.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Documents and Settings\Backoffice\Desktop\tinas crap\hjthis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\components\flx2.dll
C:\WINDOWS\System32\components\flx3.dll

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:5225/ToolboxManager/deviceRegistry
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\System32\vtuurpm.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1320 PCL 6 (Copy 1)" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clear Backoffice Flag.lnk = L:\BREEZE\Setup\BATFILES\CLRINUSE.BAT
O4 - Global Startup: Clear All Win32 Flags.lnk = breeze\Setup\Batfiles\Clrusrfl.bat
O4 - Global Startup: Reconnect to POS.lnk = C:\WINDOWS\reconnect.bat
O15 - Trusted Zone: http://www.e-orders.com.au
O15 - Trusted Zone: http://www.e-orders.com.au (HKLM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0C80615-F03B-447F-BBFC-EEDC3799C321}: NameServer = 61.8.0.113 210.23.129.34
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: pmnnono - C:\WINDOWS\SYSTEM32\pmnnono.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Start Time= 09/08/2006 10:36:44.71

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-07 14:00:50 14848 ( A.... ) "C:\WINDOWS\system32\cool.exe"
2006-08-04 13:37:44 40973 ( ..SH. ) "C:\WINDOWS\system32\mljhgeb.dll"
2006-08-02 15:11:40 ( .D... ) "C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}"
2006-07-28 10:44:54 ( .D... ) "C:\Documents and Settings\Backoffice\Application Data\Symantec"
2006-07-28 10:36:48 ( .D... ) "C:\Program Files\Norton Internet Security"
2006-07-26 15:02:08 65556 ( A.... ) "C:\WINDOWS\system32\ncbrwden.exe"
2006-07-26 13:55:40 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-26 12:47:06 65556 ( A.... ) "C:\WINDOWS\system32\nemntatx.exe"
2006-07-26 11:49:28 65556 ( A.... ) "C:\WINDOWS\system32\hynvsuqp.exe"
2006-07-25 08:50:58 ( .D... ) "C:\Program Files\Trend Micro"
2006-07-23 00:59:52 ( .D... ) "C:\Documents and Settings\Backoffice\Application Data\Lavasoft"
2006-07-21 15:14:54 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-21 14:21:00 17750 ( A.... ) "C:\WINDOWS\system32\orhrdyid.exe"
2006-07-21 14:19:44 573492 ( A.... ) "C:\WINDOWS\system32\vtutr.dll.vir"
2006-07-21 14:10:48 18944 ( A.... ) "C:\WINDOWS\system32\winrvc32.dll"
2006-07-21 14:01:32 ( .D... ) "C:\Program Files\eOrders"
2006-07-21 13:58:16 274432 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-07-21 13:58:14 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-07-19 10:13:00 ( .D... ) "C:\Documents and Settings\Backoffice\Application Data\Help"
2006-07-17 09:42:04 43 ( A.... ) "C:\WINDOWS\reconnect.bat"
2006-06-08 12:08:36 534208 ( A.... ) "C:\WINDOWS\system32\SymNeti.dll"
2006-06-08 12:08:36 161472 ( A.... ) "C:\WINDOWS\system32\SymRedir.dll"
2006-05-16 14:34:38 87808 ( A.... ) "C:\WINDOWS\system32\S32EVNT1.DLL"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-07 14:00 14,848 C:\WINDOWS\system32\cool.exe
2006-08-04 14:05 53,248 C:\WINDOWS\system32\Process.exe
2006-08-04 14:05 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-04 14:05 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 14:05 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-04 13:37 40,973 C:\WINDOWS\system32\mljhgeb.dll
2006-07-28 10:34 466,944 C:\WINDOWS\system32\capicom.dll
2006-07-26 15:01 65,556 C:\WINDOWS\system32\ncbrwden.exe
2006-07-26 12:46 65,556 C:\WINDOWS\system32\nemntatx.exe
2006-07-26 12:12 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-26 11:49 65,556 C:\WINDOWS\system32\hynvsuqp.exe
2006-07-23 02:20 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-23 02:20 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-21 14:20 17,750 C:\WINDOWS\system32\orhrdyid.exe
2006-07-21 14:16 573,492 C:\WINDOWS\system32\vtutr.dll.vir
2006-07-21 14:10 18,944 C:\WINDOWS\system32\winrvc32.dll
2006-07-21 13:58 73,216 C:\WINDOWS\ST6UNST.EXE
2006-07-21 13:58 274,432 C:\WINDOWS\Setup1.exe
2006-07-17 09:41 43 C:\WINDOWS\reconnect.bat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HPLJ Config"="C:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\SetConfig.exe -c Direct -p DOT4_002 -pn \"hp LaserJet 1320 PCL 6 (Copy 1)\" -n 1 -l 1033 -sl 120000"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{00275E5D-0957-3081-1201-04052620003d}"="\"C:\\Program Files\\Common Files\\{00275E5D-0957-3081-1201-04052620003d}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableTaskMgr REG_DWORD 0 (0x0)
NoDispAppearancePage REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispBackgroundPage REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Backoffice.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 09/08/2006 10:37:04.31
ComboFix ver 06.07.15/28/B - This logfile is located at C:\ComboFix.txt

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:52 AM

Posted 09 August 2006 - 05:13 PM

Hey there Tina

You have a whole host of malware on your computer I'm afraid.
However, we should be able to solve it all.

I think it's important we run a couple of general scanners to remove as many infected files as possible to start with.

1) Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

2) Please download, install, and update Ewido anti-spyware[list]
Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close Ewido and reboot!! I need the log later.

3) Please go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Owner\Desktop\combofix.exe" /v pmnnono winrvc32

Hit enter.
This should start the combofix.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Also post the Ewido log.

David

#7 osospanky

osospanky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 12 August 2006 - 04:29 PM

heya david

did as you asked and the results are following

have a prob with hijack this not allowing to save a log

im to tired to even look at where thats going wrong

god i hate graveyard shifts :D

talk soon

tina

Backoffice*Administrators - 06-08-13 6:47:23.29
Running from: C:\Documents and Settings\Backoffice\Desktop\tinas crap

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{00275E5D-0957-3081-1201-04052620003d}


((((((((((((((((((((((((((((((( Files Created from 2006-07-13 to 2006-08-13 ))))))))))))))))))))))))))))))))))


2006-08-13 01:53 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-08-13 01:27 18,200 C:\WINDOWS\system32\wups2.dll
2006-08-10 13:07 2,680 C:\WINDOWS\system32\kjkkj.ini2
2006-08-09 11:36 573,492 C:\WINDOWS\system32\jkkjk.dll
2006-08-09 11:11 271,321 C:\WINDOWS\system32\mljjj.dll
2006-08-04 14:05 53,248 C:\WINDOWS\system32\Process.exe
2006-08-04 14:05 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-04 14:05 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 14:05 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-30 16:50 542,540 C:\WINDOWS\system32\rtutv.ini2
2006-07-26 12:12 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-26 11:49 563,465 C:\WINDOWS\system32\rtutv.bak2
2006-07-23 02:20 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-23 02:20 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-21 14:20 541,441 C:\WINDOWS\system32\rtutv.bak1
2006-07-21 13:58 73,216 C:\WINDOWS\ST6UNST.EXE
2006-07-21 13:58 274,432 C:\WINDOWS\Setup1.exe
2006-07-17 09:41 43 C:\WINDOWS\reconnect.bat
2006-07-15 01:53 307,200 C:\WINDOWS\system32\netapi32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-13 06:49 2680 ---hs---- C:\WINDOWS\system32\kjkkj.ini2
2006-08-13 06:49 ------- d-------- C:\Program Files\Common Files
2006-08-13 05:57 ------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-13 05:57 ------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-13 03:13 ------- d-------- C:\Program Files\Lavasoft
2006-08-13 03:13 ------- d-------- C:\Documents and Settings\Backoffice\Application Data\Lavasoft
2006-08-12 13:02 ------- d-------- C:\Documents and Settings\Backoffice\Application Data\AdobeUM
2006-08-11 10:14 ------- d-------- C:\WINDOWS\system32\MBOLS~1
2006-08-10 12:25 ------- d-------- C:\Program Files\Norton Internet Security
2006-08-09 11:37 573492 ---hs---- C:\WINDOWS\system32\jkkjk.dll
2006-08-09 11:12 271321 --a------ C:\WINDOWS\system32\mljjj.dll
2006-07-31 12:48 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-07-31 12:20 542540 ---hs---- C:\WINDOWS\system32\rtutv.ini2
2006-07-28 14:50 563465 ---hs---- C:\WINDOWS\system32\rtutv.bak2
2006-07-28 12:53 ------- d---s---- C:\Documents and Settings\Backoffice\Application Data\Microsoft
2006-07-28 12:35 ------- d-------- C:\Program Files\Symantec
2006-07-28 10:44 ------- d-------- C:\Documents and Settings\Backoffice\Application Data\Symantec
2006-07-28 10:37 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-07-26 13:40 ------- d-------- C:\WINDOWS\system32\STEM32~1
2006-07-26 12:47 ------- d-------- C:\Program Files\Internet Explorer
2006-07-25 08:50 ------- d-------- C:\Program Files\Trend Micro
2006-07-21 14:20 541441 ---hs---- C:\WINDOWS\system32\rtutv.bak1
2006-07-21 14:02 ------- d-------- C:\Program Files\eOrders
2006-07-21 13:58 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-07-21 13:58 274432 --------- C:\WINDOWS\Setup1.exe
2006-07-19 10:12 ------- d-------- C:\Documents and Settings\Backoffice\Application Data\Help
2006-07-17 09:42 43 --a------ C:\WINDOWS\reconnect.bat
2006-07-15 01:53 307200 --a------ C:\WINDOWS\system32\netapi32.dll
2006-06-08 12:08 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-06-08 12:08 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-05-16 14:34 87808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HPLJ Config"="C:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\SetConfig.exe -c Direct -p DOT4_002 -pn \"hp LaserJet 1320 PCL 6 (Copy 1)\" -n 1 -l 1033 -sl 120000"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Backoffice.job

Completion time: 13/08/2006 6:49:23.79
ComboFix ver 06.08.12 - This logfile is located at C:\ComboFix.txt

ComboFix.txt



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:08:09 AM 13/08/2006

+ Scan result:



C:\VundoFix Backups\vtuurpm.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mljhgeb.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmnnono.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vtutr.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Backoffice\Cookies\backoffice@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Backoffice\Cookies\backoffice@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\VundoFix Backups\DP.sys -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hynvsuqp.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ncbrwden.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nemntatx.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\orhrdyid.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\temp\win10.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\temp\win653.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).


::Report end

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:52 AM

Posted 13 August 2006 - 04:35 AM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less - Click OK
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right Click inside the listbox (white box) and click "add more files"
Copy and paste the 3 entries below into the top 3 boxes (no arrows):

--> C:\WINDOWS\system32\mljjj.dll
--> C:\WINDOWS\system32\jkkjk.dll
--> C:\WINDOWS\SYSTEM32\pmnnono.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

David

#9 osospanky

osospanky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 August 2006 - 06:28 PM

heya david,

heres the stuff you required

had the same result i had previously with vundo when i added the files...the first 2 repeated and the third one disappeared....no idea

but the good news was that hijack this allowed me to save the log file

cheers,

tina



VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 1:04:02 PM 28/07/2006

Listing files found while scanning....

C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 2:39:02 PM 02/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 12:13:04 PM 04/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 1:25:15 PM 07/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\System32\vtuurpm.dll
C:\WINDOWS\System32\vtuurpm.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.5

Checking Java version...

Sun Java not detected
Scan started at 2:20:44 PM 07/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 9:22:05 AM 09/08/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 9:10:10 AM 14/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.dll Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 9:18:33 AM, on 14/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Backoffice\Desktop\tinas crap\hjthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:5225/ToolboxManager/deviceRegistry
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CDEE99B-EC02-48DC-A317-E1E2967DFC7D} - C:\WINDOWS\System32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\System32\vtuurpm.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1320 PCL 6 (Copy 1)" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clear Backoffice Flag.lnk = L:\BREEZE\Setup\BATFILES\CLRINUSE.BAT
O4 - Global Startup: Clear All Win32 Flags.lnk = breeze\Setup\Batfiles\Clrusrfl.bat
O4 - Global Startup: Reconnect to POS.lnk = C:\WINDOWS\reconnect.bat
O15 - Trusted Zone: http://www.e-orders.com.au
O15 - Trusted Zone: http://www.e-orders.com.au (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155396125718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155396072265
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:52 AM

Posted 14 August 2006 - 02:49 AM

Hey osospanky,

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {3CDEE99B-EC02-48DC-A317-E1E2967DFC7D} - C:\WINDOWS\System32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\System32\vtuurpm.dll (file missing)
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please find and delete the following files (If present):

C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\rtutv.ini2
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.bak1

Clean your Cache and Cookies in IE

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Clean your Cache and Cookies in Firefox

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

David

#11 osospanky

osospanky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 15 August 2006 - 11:33 PM

heya david,

okies....im now thinking that your a legend.....

panda scan only threw up one thing that i didnt recognize.....yay!!


let me know what you think

thanks,


tina



Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Backoffice\Desktop\tinas crap\smitfraud\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Backoffice\Desktop\tinas crap\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Backoffice\Desktop\tinas crap\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Backoffice\Desktop\tinas crap\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Backoffice\Desktop\tinas crap\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe



Logfile of HijackThis v1.99.1
Scan saved at 2:14:12 PM, on 16/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Backoffice\Desktop\tinas crap\hjthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:5225/ToolboxManager/deviceRegistry
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1320 PCL 6 (Copy 1)" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clear Backoffice Flag.lnk = L:\BREEZE\Setup\BATFILES\CLRINUSE.BAT
O4 - Global Startup: Clear All Win32 Flags.lnk = breeze\Setup\Batfiles\Clrusrfl.bat
O4 - Global Startup: Reconnect to POS.lnk = C:\WINDOWS\reconnect.bat
O15 - Trusted Zone: http://www.e-orders.com.au
O15 - Trusted Zone: http://www.e-orders.com.au (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155396125718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155396072265
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0C80615-F03B-447F-BBFC-EEDC3799C321}: NameServer = 61.8.0.113 210.23.129.34
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:52 AM

Posted 16 August 2006 - 03:33 AM

Nothing wrong in the Panda log at all, they are parts of the tools we used before.
The Hijackthis log and Panda logs are now clean.
Let me know how the system is running please! :thumbsup:
David

#13 osospanky

osospanky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 16 August 2006 - 07:19 AM

well i was right....your an absolute legend

i never guessed my ass would be saved by the trojanator :thumbsup:


the pcs been running fine for the past 2 days and with absolutely no hiccups from any of the trillion spyware proggys that are running on it

is it safe to delete that process.exe file thats in sys32?....ive killed the crap out of the tinas crap file already but have left that one

ive gotta say im absolutely loving your work right about now


i believe i owe you a beer if ever im in london

tina

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:52 AM

Posted 16 August 2006 - 01:22 PM

Glad I could help Tina! :thumbsup:
The latest log is looking clean!

You can go ahead and delete the process.exe in system32 if you like, no harm in doing so.
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users