Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups


  • This topic is locked This topic is locked
6 replies to this topic

#1 neilbeard

neilbeard

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 26 August 2006 - 11:24 AM

Hi can anyone help with my pop ups?

I have posted the following log
Logfile of HijackThis v1.99.1
Scan saved at 17:04:07, on 26/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{0C3B493F-0C80-2057-1112-04040901002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SolidWorks\sldworks.exe
C:\DOCUME~1\NEILBE~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowexec.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 28 August 2006 - 02:28 PM

Hello,

Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Then, * Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from Vundofix, which will be present on your C:\ with the name vundofix.txt
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 neilbeard

neilbeard
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 30 August 2006 - 01:58 PM

Hi Vundoo came up with nohing, but here is the log from combofix

Neil Beard - 06-08-30 19:46:37.06
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Neil Beard\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{3E2EF72C-1B70-4A4F-83E8-C1EF3D698BDC}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{3E2EF72C-1B70-4A4F-83E8-C1EF3D698BDC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E2EF72C-1B70-4A4F-83E8-C1EF3D698BDC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E2EF72C-1B70-4A4F-83E8-C1EF3D698BDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\dRd9.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{28C39303-1225-412F-BC6B-B7D45C88DCED}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{28C39303-1225-412F-BC6B-B7D45C88DCED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28C39303-1225-412F-BC6B-B7D45C88DCED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28C39303-1225-412F-BC6B-B7D45C88DCED}\InprocServer32]
@="C:\\WINDOWS\\system32\\dpdskres.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Neil Beard\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\tsuninst.exe
C:\Program Files\Cowabanga
C:\Program Files\Common Files\{0C3B493F-0C80-2057-1112-04040901002c}


((((((((((((((((((((((((((((((( Files Created from 2006-07-30 to 2006-08-30 ))))))))))))))))))))))))))))))))))


2006-08-30 19:11 787,521 ---hs---- C:\WINDOWS\system32\dgjlm.bak1
2006-08-27 16:28 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2006-08-27 16:28 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2006-08-27 16:28 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2006-08-27 16:28 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2006-08-27 16:28 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-08-27 16:28 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2006-08-27 16:28 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2006-08-23 19:19 13,844 --a------ C:\WINDOWS\system32\lypiyxmj.exe
2006-07-30 09:45 81,920 --a------ C:\WINDOWS\system32\wowexec.dll
2006-07-30 09:45 2 --a------ C:\WINDOWS\system32\wapiit.exe
2006-07-30 09:45 14,848 --a------ C:\WINDOWS\system32\cool.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-30 19:51 -------- d-------- C:\Program Files\Common Files
2006-08-30 19:11 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-30 19:01 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-30 19:01 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Skype
2006-08-30 19:00 -------- d---s---- C:\Documents and Settings\Neil Beard\Application Data\Microsoft
2006-08-30 18:53 2508 --a------ C:\Documents and Settings\Neil Beard\Application Data\$_hpcst$.hpc
2006-08-30 18:50 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-28 19:33 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\SolidWorks
2006-08-28 15:10 -------- d-------- C:\Program Files\DVD Region+CSS Free
2006-08-28 15:09 -------- d-------- C:\Program Files\GordianKnot
2006-08-28 15:06 -------- d-------- C:\Program Files\AviSynth 2.5
2006-08-28 15:04 -------- d-------- C:\Program Files\Gabest
2006-08-28 14:34 85 ---hs---- C:\Documents and Settings\Neil Beard\Application Data\.zreglib
2006-08-28 14:14 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Elaborate Bytes
2006-08-28 10:16 -------- d-------- C:\Program Files\Elaborate Bytes
2006-08-28 10:09 -------- d-------- C:\Program Files\SlySoft
2006-08-27 22:09 -------- d-------- C:\Program Files\PacificPoker
2006-08-27 22:09 -------- d-------- C:\Program Files\CasinoOnNet
2006-08-27 16:43 -------- d-------- C:\Program Files\HP
2006-08-27 16:42 -------- d-------- C:\Program Files\Common Files\HP
2006-08-27 16:37 -------- d-------- C:\Program Files\Hewlett-Packard
2006-08-27 16:34 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-08-27 16:20 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\HP
2006-08-27 16:04 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Adobe
2006-08-26 17:58 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\DassaultSystemes
2006-08-26 17:04 -------- d-------- C:\Program Files\Hijackthis
2006-08-26 17:01 -------- d-------- C:\Program Files\MSN Messenger
2006-08-26 13:13 -------- d-------- C:\Program Files\LimeWire
2006-08-23 19:23 -------- d-------- C:\Program Files\Internet Explorer
2006-08-18 02:58 20096 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2006-07-29 22:04 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Macromedia
2006-07-29 22:00 -------- d-------- C:\Program Files\Macromedia
2006-07-29 21:35 573492 --------- C:\WINDOWS\system32\mljgd.dll
2006-07-29 21:29 18944 --------- C:\WINDOWS\system32\winpdc32.dll
2006-07-29 21:26 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-07-29 20:27 -------- d-------- C:\Program Files\ComPlus Applications
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-28 21:19 -------- d-------- C:\Program Files\Norton AntiVirus
2006-07-28 21:17 -------- d-------- C:\Program Files\WinRAR
2006-07-28 21:17 -------- d-------- C:\Program Files\Common Files\wium
2006-07-28 21:17 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Sonic
2006-07-28 21:17 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\InterVideo
2006-07-28 21:16 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-28 21:16 -------- d-------- C:\Program Files\Microsoft Works
2006-07-28 21:16 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-07-28 21:12 -------- d-------- C:\Program Files\Common Files\Designer
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 19:40 -------- d-------- C:\Program Files\Skype
2006-07-26 19:23 29200 --a------ C:\WINDOWS\system32\w040191e.dll
2006-07-26 19:17 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Leadertech
2006-07-26 18:23 -------- d-------- C:\Program Files\Microsoft Office
2006-07-26 18:22 -------- d-------- C:\Program Files\Common Files\System
2006-07-26 08:26 -------- d-------- C:\Program Files\Adobe
2006-07-25 19:21 -------- d-------- C:\Program Files\WinZip
2006-07-25 19:01 -------- d-------- C:\Program Files\SolidWorks
2006-07-25 19:01 -------- d-------- C:\Program Files\Common Files\SolidWorks Shared
2006-07-25 18:59 -------- d-------- C:\Program Files\Common Files\Bluebeam Software
2006-07-25 18:59 -------- d-------- C:\Program Files\Bluebeam Software
2006-07-25 18:57 -------- d--h----- C:\Program Files\Uninstall Information
2006-07-25 18:57 -------- d-------- C:\Program Files\Common Files\Solidworks Data
2006-07-25 18:40 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-07-25 18:39 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-25 18:39 -------- d-------- C:\Program Files\Belkin
2006-07-25 18:30 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-25 18:24 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-25 03:12 -------- d-------- C:\Program Files\Messenger
2006-07-25 03:04 -------- d-------- C:\Program Files\Windows Media Player
2006-07-25 03:01 -------- d-------- C:\Program Files\Outlook Express
2006-07-24 22:44 -------- d-------- C:\Program Files\SymNetDrv
2006-07-24 22:44 -------- d-------- C:\Program Files\Symantec
2006-07-24 22:39 -------- d-------- C:\Program Files\Java
2006-07-24 22:35 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Symantec
2006-07-24 22:28 -------- d-------- C:\Program Files\Common Files\Java
2006-07-24 22:28 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Sun
2006-07-24 22:27 -------- d-------- C:\Program Files\HPQ
2006-07-24 22:26 -------- d-------- C:\Program Files\Common Files\Sonic
2006-07-24 22:25 20576 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-07-24 22:25 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-24 22:25 103936 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-24 22:25 -------- d-------- C:\Program Files\Sonic
2006-07-24 22:25 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-07-24 22:24 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-07-24 22:24 -------- d-------- C:\Program Files\Common Files\ODBC
2006-07-24 22:23 -------- d-------- C:\Program Files\QuickTime
2006-07-24 22:23 -------- d-------- C:\Program Files\iTunes
2006-07-24 22:23 -------- d-------- C:\Program Files\iPod
2006-07-24 22:23 -------- d-------- C:\Program Files\Easy Internet signup
2006-07-24 22:23 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Apple Computer
2006-07-24 22:22 62 --ahs---- C:\Documents and Settings\Neil Beard\Application Data\desktop.ini
2006-07-24 22:22 -------- d-------- C:\Program Files\Online Services
2006-07-24 22:18 -------- d-------- C:\Program Files\InterVideo
2006-07-24 22:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-24 22:12 -------- d-------- C:\Program Files\ATI Technologies
2006-07-24 22:04 44 --a------ C:\WINDOWS\system32\msssc.dll
2006-07-24 21:52 -------- d-------- C:\Program Files\Apoint2K
2006-07-24 21:50 -------- d-------- C:\Program Files\WIDCOMM
2006-07-24 21:49 -------- d-------- C:\Program Files\Analog Devices
2006-07-24 21:46 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Identities
2006-07-24 21:38 0 -rahs---- C:\MSDOS.SYS
2006-07-24 21:38 0 -rahs---- C:\IO.SYS
2006-07-24 21:38 0 --a------ C:\CONFIG.SYS
2006-07-24 21:38 0 --a------ C:\AUTOEXEC.BAT
2006-07-24 21:38 -------- d-------- C:\Program Files\xerox
2006-07-24 21:38 -------- d-------- C:\Program Files\microsoft frontpage
2006-07-24 21:36 -------- d--h----- C:\Program Files\WindowsUpdate
2006-07-24 21:35 -------- d-------- C:\Program Files\NetMeeting
2006-07-24 21:35 -------- d-------- C:\Program Files\Movie Maker
2006-07-24 21:35 -------- d-------- C:\Program Files\Common Files\Services
2006-07-24 21:35 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-07-24 21:33 -------- d-------- C:\Program Files\Windows NT
2006-07-24 21:33 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-07-24 21:32 -------- d-------- C:\Program Files\MSN
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"AnyDVD"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"H/PC Connection Agent"="\"C:\\PROGRA~1\\MI3AA1~1\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Neil Beard.job

Completion time: 30/08/2006 19:53:28.48
ComboFix.txt

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 30 August 2006 - 02:25 PM

Hello,

Strange vundofix didn't find anything, it is present though. We'll deal with it in another way..
By the way, I notice that you installed your Windows only 1 month ago? And managed to get infected a couple of days later :thumbsup:

Check and fix next entry in hijackthis:

O20 - AppInit_DLLs: C:\WINDOWS\system32\wowexec.dll

Ignore the error you'll get. Then reboot! Important!

After reboot,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files and folders:

C:\WINDOWS\system32\lypiyxmj.exe
C:\WINDOWS\system32\wowexec.dll <== DON'T delete wowexec.exe!! Because that one is legit!
C:\WINDOWS\system32\wapiit.exe
C:\WINDOWS\system32\cool.exe
C:\Program Files\PacificPoker <== folder if you didn't install this, but first look if it is present in software > add/remove programs and uninstall it. Then delete the folder if still present.
C:\Program Files\CasinoOnNet <== folder if you didn't install this, but first look if it is present in software > add/remove programs and uninstall it. Then delete the folder if still present.
C:\Program Files\Common Files\wium <== folder
C:\WINDOWS\system32\w040191e.dll

Then, go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Neil Beard\Desktop\combofix.exe" /v mljgd winpdc32


Hit enter.
This should start combofix again. You really have to perform it the way I explained with copying and pasting above in start > run, because that's a special command to deal with some infections. Running combofix by doubleclicking on it won't deal with these.

Combofix will reboot your computer. After reboot, post the log from combofix together with a new hijackthislog (you forgot that previously)

Edited by miekiemoes, 30 August 2006 - 02:26 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 neilbeard

neilbeard
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 03 September 2006 - 03:30 AM

Hello sorry for my late reply, please find the following:

Neil Beard - 06-09-03 9:24:57.90
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Neil Beard\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\winpdc32.dll
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\winpdc32.dll

((((((((((((((((((((((((((((((( Files Created from 2006-08-03 to 2006-09-03 ))))))))))))))))))))))))))))))))))


2006-08-27 16:28 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2006-08-27 16:28 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2006-08-27 16:28 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2006-08-27 16:28 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2006-08-27 16:28 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-08-27 16:28 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2006-08-27 16:28 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-03 09:22 -------- d-------- C:\Program Files\Common Files
2006-09-03 09:14 -------- d-------- C:\Program Files\Hijackthis
2006-09-03 09:12 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-03 09:12 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Skype
2006-08-30 19:11 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-30 19:00 -------- d---s---- C:\Documents and Settings\Neil Beard\Application Data\Microsoft
2006-08-30 18:53 2508 --a------ C:\Documents and Settings\Neil Beard\Application Data\$_hpcst$.hpc
2006-08-30 18:50 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-28 19:33 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\SolidWorks
2006-08-28 15:10 -------- d-------- C:\Program Files\DVD Region+CSS Free
2006-08-28 15:09 -------- d-------- C:\Program Files\GordianKnot
2006-08-28 15:06 -------- d-------- C:\Program Files\AviSynth 2.5
2006-08-28 15:04 -------- d-------- C:\Program Files\Gabest
2006-08-28 14:34 85 ---hs---- C:\Documents and Settings\Neil Beard\Application Data\.zreglib
2006-08-28 14:14 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Elaborate Bytes
2006-08-28 10:16 -------- d-------- C:\Program Files\Elaborate Bytes
2006-08-28 10:09 -------- d-------- C:\Program Files\SlySoft
2006-08-27 16:43 -------- d-------- C:\Program Files\HP
2006-08-27 16:42 -------- d-------- C:\Program Files\Common Files\HP
2006-08-27 16:37 -------- d-------- C:\Program Files\Hewlett-Packard
2006-08-27 16:34 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-08-27 16:20 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\HP
2006-08-27 16:04 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Adobe
2006-08-26 17:58 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\DassaultSystemes
2006-08-26 17:01 -------- d-------- C:\Program Files\MSN Messenger
2006-08-26 13:13 -------- d-------- C:\Program Files\LimeWire
2006-08-23 19:23 -------- d-------- C:\Program Files\Internet Explorer
2006-08-18 02:58 20096 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2006-07-29 22:04 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Macromedia
2006-07-29 22:00 -------- d-------- C:\Program Files\Macromedia
2006-07-29 21:29 18944 --a------ C:\WINDOWS\system32\winpdc32.dll
2006-07-29 21:26 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-07-29 20:27 -------- d-------- C:\Program Files\ComPlus Applications
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-28 21:19 -------- d-------- C:\Program Files\Norton AntiVirus
2006-07-28 21:17 -------- d-------- C:\Program Files\WinRAR
2006-07-28 21:17 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Sonic
2006-07-28 21:17 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\InterVideo
2006-07-28 21:16 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-28 21:16 -------- d-------- C:\Program Files\Microsoft Works
2006-07-28 21:16 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-07-28 21:12 -------- d-------- C:\Program Files\Common Files\Designer
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 19:40 -------- d-------- C:\Program Files\Skype
2006-07-26 19:17 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Leadertech
2006-07-26 18:23 -------- d-------- C:\Program Files\Microsoft Office
2006-07-26 18:22 -------- d-------- C:\Program Files\Common Files\System
2006-07-26 08:26 -------- d-------- C:\Program Files\Adobe
2006-07-25 19:21 -------- d-------- C:\Program Files\WinZip
2006-07-25 19:01 -------- d-------- C:\Program Files\SolidWorks
2006-07-25 19:01 -------- d-------- C:\Program Files\Common Files\SolidWorks Shared
2006-07-25 18:59 -------- d-------- C:\Program Files\Common Files\Bluebeam Software
2006-07-25 18:59 -------- d-------- C:\Program Files\Bluebeam Software
2006-07-25 18:57 -------- d--h----- C:\Program Files\Uninstall Information
2006-07-25 18:57 -------- d-------- C:\Program Files\Common Files\Solidworks Data
2006-07-25 18:40 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-07-25 18:39 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-25 18:39 -------- d-------- C:\Program Files\Belkin
2006-07-25 18:30 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-25 18:24 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-25 03:12 -------- d-------- C:\Program Files\Messenger
2006-07-25 03:04 -------- d-------- C:\Program Files\Windows Media Player
2006-07-25 03:01 -------- d-------- C:\Program Files\Outlook Express
2006-07-24 22:44 -------- d-------- C:\Program Files\SymNetDrv
2006-07-24 22:44 -------- d-------- C:\Program Files\Symantec
2006-07-24 22:39 -------- d-------- C:\Program Files\Java
2006-07-24 22:35 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Symantec
2006-07-24 22:28 -------- d-------- C:\Program Files\Common Files\Java
2006-07-24 22:28 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Sun
2006-07-24 22:27 -------- d-------- C:\Program Files\HPQ
2006-07-24 22:26 -------- d-------- C:\Program Files\Common Files\Sonic
2006-07-24 22:25 20576 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-07-24 22:25 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-24 22:25 103936 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-24 22:25 -------- d-------- C:\Program Files\Sonic
2006-07-24 22:25 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-07-24 22:24 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-07-24 22:24 -------- d-------- C:\Program Files\Common Files\ODBC
2006-07-24 22:23 -------- d-------- C:\Program Files\QuickTime
2006-07-24 22:23 -------- d-------- C:\Program Files\iTunes
2006-07-24 22:23 -------- d-------- C:\Program Files\iPod
2006-07-24 22:23 -------- d-------- C:\Program Files\Easy Internet signup
2006-07-24 22:23 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Apple Computer
2006-07-24 22:22 62 --ahs---- C:\Documents and Settings\Neil Beard\Application Data\desktop.ini
2006-07-24 22:22 -------- d-------- C:\Program Files\Online Services
2006-07-24 22:18 -------- d-------- C:\Program Files\InterVideo
2006-07-24 22:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-24 22:12 -------- d-------- C:\Program Files\ATI Technologies
2006-07-24 22:04 44 --a------ C:\WINDOWS\system32\msssc.dll
2006-07-24 21:52 -------- d-------- C:\Program Files\Apoint2K
2006-07-24 21:50 -------- d-------- C:\Program Files\WIDCOMM
2006-07-24 21:49 -------- d-------- C:\Program Files\Analog Devices
2006-07-24 21:46 -------- d-------- C:\Documents and Settings\Neil Beard\Application Data\Identities
2006-07-24 21:38 0 -rahs---- C:\MSDOS.SYS
2006-07-24 21:38 0 -rahs---- C:\IO.SYS
2006-07-24 21:38 0 --a------ C:\CONFIG.SYS
2006-07-24 21:38 0 --a------ C:\AUTOEXEC.BAT
2006-07-24 21:38 -------- d-------- C:\Program Files\xerox
2006-07-24 21:38 -------- d-------- C:\Program Files\microsoft frontpage
2006-07-24 21:36 -------- d--h----- C:\Program Files\WindowsUpdate
2006-07-24 21:35 -------- d-------- C:\Program Files\NetMeeting
2006-07-24 21:35 -------- d-------- C:\Program Files\Movie Maker
2006-07-24 21:35 -------- d-------- C:\Program Files\Common Files\Services
2006-07-24 21:35 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-07-24 21:33 -------- d-------- C:\Program Files\Windows NT
2006-07-24 21:33 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-07-24 21:32 -------- d-------- C:\Program Files\MSN
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"AnyDVD"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"H/PC Connection Agent"="\"C:\\PROGRA~1\\MI3AA1~1\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Neil Beard.job

Completion time: 03/09/2006 9:27:32.70
ComboFix.txt
ComboFix2.txt




Also


Logfile of HijackThis v1.99.1
Scan saved at 09:30:36, on 03/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cscript.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28515A08-393E-48FC-9EEE-D5775C4D36D0} - C:\Program Files\ComPlus Applications\niwy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thanks


Neil

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 03 September 2006 - 05:03 AM

Hello,

Check and fix next entry in hijackthis:

O2 - BHO: (no name) - {28515A08-393E-48FC-9EEE-D5775C4D36D0} - C:\Program Files\ComPlus Applications\niwy.dll (file missing)

Delete next file:
C:\WINDOWS\system32\winpdc32.dll

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 10 September 2006 - 02:41 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users