Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo Madness!


  • Please log in to reply
13 replies to this topic

#1 AmberD

AmberD

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 11 November 2006 - 12:35 PM

OuterInfo popups are driving me mad! I have tried all the suggestions you have suggested to try before giving you the hijackthis log. Here is the current log. I hope you can help me!

Thanks,
Amber

Logfile of HijackThis v1.99.1
Scan saved at 11:27:07 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\ICROSO~1.NET\chkdsk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
R3 - URLSearchHook: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Obhn] "C:\PROGRA~1\ICROSO~1.NET\chkdsk.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: regedit.dll explorer.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: Comppop - {E5E55E48-CE95-41E0-B360-565020027A29} - C:\WINDOWS\system32\bootstyle.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 AM

Posted 11 November 2006 - 05:14 PM

Hello AmberD,

I am SifuMike and I will be helping you. :thumbsup:

Look in your control panels add/remove programs for any of these and uninstall them (if there):

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

and any other programs you didn't install or don't recognize - if your not sure please ask first


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not proceed with the rest of the fix if you fail to run combofix
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.


Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)

1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
5. Click on "Save Report" to view all completed scans.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware 7.5

When done, submit the AVG Anti-Spyware 7.5 log, ComboFix log, and a  fresh Hijackthis log.

Edited by SifuMike, 11 November 2006 - 05:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 AmberD

AmberD
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 11 November 2006 - 07:59 PM

Thanks for all the help so far. There were no files in my Add/Remove Programs to remove. I did all the scans you requested but I didn't run the computer in Safe Mode cuz I couldn't get it to enter safe mode...I have a wireless keyboard and that may be why? Here are my log files.

Thanks for the help!

Amber - 06-11-11 17:34:34.01 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Amber\My Documents\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wnsintsv.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Amber\Application Data\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\ASKS~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\DOBE~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\ECURIT~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\YMANTE~1
C:\QooBox\Purity\Program Files\DOBE~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\SMBOLS~1
C:\QooBox\Purity\Program Files\TSKS~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1
C:\QooBox\Purity\Program Files\Common Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1\??plorer_exe.vir
C:\QooBox\Purity\Program Files\DOBE~1\?ystem32
C:\QooBox\Purity\Program Files\DOBE~1\?dobe
C:\QooBox\Purity\Program Files\ICROSO~1.NET\chkdsk.exe
C:\QooBox\Purity\Program Files\ICROSO~1.NET\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\ASEMBL~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET\M?crosoft.NET
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1\?icrosoft


((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


2006-11-10 07:48 131,072 --------- C:\WINDOWS\system32\tbfck.dll
2006-10-30 07:27 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-10-30 07:27 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-11 17:35 -------- d-------- C:\Program Files\Common Files
2006-11-11 11:26 -------- d-------- C:\Program Files\Hijackthis
2006-11-11 09:46 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-11 09:45 -------- d-------- C:\Program Files\MSN Messenger
2006-11-11 09:44 -------- d-------- C:\Program Files\Messenger
2006-11-11 09:42 -------- d-------- C:\Program Files\Internet Explorer
2006-11-11 09:41 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-10 21:12 -------- d-------- C:\Program Files\Common Files\Real
2006-11-10 21:12 -------- d-------- C:\Documents and Settings\Amber\Application Data\Real
2006-11-10 20:09 -------- d-------- C:\Documents and Settings\Amber\Application Data\Lavasoft
2006-11-10 20:08 -------- d-------- C:\Program Files\Lavasoft
2006-11-06 17:47 -------- d-------- C:\Program Files\Registry Mechanic
2006-11-02 21:42 -------- d-------- C:\Program Files\Comprehensive Review 3e
2006-10-30 07:27 -------- d-------- C:\Program Files\XviD
2006-10-28 09:49 -------- d-------- C:\Documents and Settings\Amber\Application Data\àppPatch
2006-10-20 19:33 -------- d-------- C:\Program Files\Common Files\àppPatch
2006-10-19 09:17 -------- d-------- C:\Program Files\Real
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Obhn"="\"C:\\PROGRA~1\\ICROSO~1.NET\\chkdsk.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
@="C:\\WINDOWS\\Options\\OEMReset.exe /Audit"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PDUiP6600DMon"="C:\\Program Files\\Canon\\Memory Card Utility\\iP6600D\\PDUiP6600DMon.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SoundMan"="SOUNDMAN.EXE"
"RegistryMechanic"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,80,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Obhn"="\"C:\\PROGRA~1\\DOBE~1\\chkntfs.exe\" -vt ndrv"
@="C:\\WINDOWS\\System32\\DDPLAY~1.EXE"
"Cqebr"="C:\\Documents and Settings\\Amber\\Application Data\\??mantec\\??oolsv.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Obhn"="\"C:\\PROGRA~1\\DOBE~1\\chkntfs.exe\" -vt ndrv"
@="C:\\WINDOWS\\System32\\DDPLAY~1.EXE"
"Cqebr"="C:\\Documents and Settings\\Amber\\Application Data\\??mantec\\??oolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Comppop"="{E5E55E48-CE95-41E0-B360-565020027A29}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Amber.job

Completion time: 06-11-11 17:36:01.45
C:\ComboFix.txt ... 06-11-11 17:36



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:48:28 PM 11/11/2006

+ Scan result:



C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP671\A0133680.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1\ехplorer_exe.vir -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP591\A0122861.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP609\A0124542.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP609\A0124543.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP613\A0124798.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP637\A0130790.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP638\A0130863.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP640\A0131047.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP641\A0131088.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP641\A0131089.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP642\A0131123.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP643\A0131187.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP643\A0131188.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP645\A0131258.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP646\A0131327.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP648\A0131468.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP648\A0131498.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP651\A0132589.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP654\A0132681.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP654\A0132709.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP656\A0132765.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP658\A0132772.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP660\A0132833.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP662\A0132889.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP663\A0132921.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP664\A0132951.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP666\A0132996.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP668\A0133119.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP670\A0133212.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP670\A0133213.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP671\A0133685.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tbfck.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP671\A0133682.exe -> Downloader.Delmed.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP591\A0122860.exe -> Downloader.PurityScan.cl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP613\A0124788.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).


::Report end




Logfile of HijackThis v1.99.1
Scan saved at 6:50:16 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
R3 - URLSearchHook: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Obhn] "C:\PROGRA~1\ICROSO~1.NET\chkdsk.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: regedit.dll explorer.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: Comppop - {E5E55E48-CE95-41E0-B360-565020027A29} - C:\WINDOWS\system32\bootstyle.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 AM

Posted 11 November 2006 - 09:36 PM

Hello Amber,

did all the scans you requested but I didn't run the computer in Safe Mode cuz I couldn't get it to enter safe mode...I have a wireless keyboard and that may be why?


No, that is not the reason. It sounds like you did not do it correctly. :thumbsup:

The AVG Anti-Spyware scan MUST be run in the Safe Mode to remove the malware.

So go back and try it again, but this time in the Safe Mode.

Try this to get your computer in to Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.

If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

and do what they say.

Then run AVG Anti-Spyware per my previous instructions and post the log.

Edited by SifuMike, 11 November 2006 - 09:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AmberD

AmberD
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 11 November 2006 - 11:39 PM

Okay! Finally managed to get it into safe mode...ran them all again and here are the updated logs! Thanks again!


Amber - 06-11-11 17:34:34.01 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Amber\My Documents\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wnsintsv.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Amber\Application Data\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\ASKS~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\DOBE~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\ECURIT~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\YMANTE~1
C:\QooBox\Purity\Program Files\DOBE~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\SMBOLS~1
C:\QooBox\Purity\Program Files\TSKS~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1
C:\QooBox\Purity\Program Files\Common Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1\??plorer_exe.vir
C:\QooBox\Purity\Program Files\DOBE~1\?ystem32
C:\QooBox\Purity\Program Files\DOBE~1\?dobe
C:\QooBox\Purity\Program Files\ICROSO~1.NET\chkdsk.exe
C:\QooBox\Purity\Program Files\ICROSO~1.NET\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\ASEMBL~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET\M?crosoft.NET
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1\?icrosoft


((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


2006-11-10 07:48 131,072 --------- C:\WINDOWS\system32\tbfck.dll
2006-10-30 07:27 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-10-30 07:27 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-11 17:35 -------- d-------- C:\Program Files\Common Files
2006-11-11 11:26 -------- d-------- C:\Program Files\Hijackthis
2006-11-11 09:46 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-11 09:45 -------- d-------- C:\Program Files\MSN Messenger
2006-11-11 09:44 -------- d-------- C:\Program Files\Messenger
2006-11-11 09:42 -------- d-------- C:\Program Files\Internet Explorer
2006-11-11 09:41 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-10 21:12 -------- d-------- C:\Program Files\Common Files\Real
2006-11-10 21:12 -------- d-------- C:\Documents and Settings\Amber\Application Data\Real
2006-11-10 20:09 -------- d-------- C:\Documents and Settings\Amber\Application Data\Lavasoft
2006-11-10 20:08 -------- d-------- C:\Program Files\Lavasoft
2006-11-06 17:47 -------- d-------- C:\Program Files\Registry Mechanic
2006-11-02 21:42 -------- d-------- C:\Program Files\Comprehensive Review 3e
2006-10-30 07:27 -------- d-------- C:\Program Files\XviD
2006-10-28 09:49 -------- d-------- C:\Documents and Settings\Amber\Application Data\àppPatch
2006-10-20 19:33 -------- d-------- C:\Program Files\Common Files\àppPatch
2006-10-19 09:17 -------- d-------- C:\Program Files\Real
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Obhn"="\"C:\\PROGRA~1\\ICROSO~1.NET\\chkdsk.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
@="C:\\WINDOWS\\Options\\OEMReset.exe /Audit"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PDUiP6600DMon"="C:\\Program Files\\Canon\\Memory Card Utility\\iP6600D\\PDUiP6600DMon.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SoundMan"="SOUNDMAN.EXE"
"RegistryMechanic"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,80,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Obhn"="\"C:\\PROGRA~1\\DOBE~1\\chkntfs.exe\" -vt ndrv"
@="C:\\WINDOWS\\System32\\DDPLAY~1.EXE"
"Cqebr"="C:\\Documents and Settings\\Amber\\Application Data\\??mantec\\??oolsv.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Obhn"="\"C:\\PROGRA~1\\DOBE~1\\chkntfs.exe\" -vt ndrv"
@="C:\\WINDOWS\\System32\\DDPLAY~1.EXE"
"Cqebr"="C:\\Documents and Settings\\Amber\\Application Data\\??mantec\\??oolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Comppop"="{E5E55E48-CE95-41E0-B360-565020027A29}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Amber.job

Completion time: 06-11-11 17:36:01.45
C:\ComboFix.txt ... 06-11-11 17:36


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:28:20 PM 11/11/2006

+ Scan result:



C:\System Volume Information\_restore{F1A05513-E6FA-4EFC-8D86-A6801A9E45EC}\RP671\A0133826.dll -> Adware.PurityScan : Cleaned with backup (quarantined).


::Report end




Logfile of HijackThis v1.99.1
Scan saved at 10:33:17 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
R3 - URLSearchHook: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Obhn] "C:\PROGRA~1\ICROSO~1.NET\chkdsk.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: regedit.dll explorer.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: Comppop - {E5E55E48-CE95-41E0-B360-565020027A29} - C:\WINDOWS\system32\bootstyle.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 AM

Posted 12 November 2006 - 12:17 AM

Hi Amber,

You have a suspicious file we need to check. :thumbsup:

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\WINDOWS\system32\tbfck.dll to the upload and scan it.

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 AmberD

AmberD
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 12 November 2006 - 09:12 AM

Hey, that Jotti scanner is just saying that the file is 0 bytes so can't scan. I searched for it on my computer and it said it wasn't there

Thanks

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 AM

Posted 12 November 2006 - 11:42 AM

Hello amber,

You have a nasty malware on your computer. The Troj/SCLog-B records keystokes. :thumbsup:

http://www.sophos.com/virusinfo/analyses/trojsclogb.html

Steals information
Uses its own emailing engine
Reduces system security
Records keystrokes
Installs itself in the Registry
Leaves non-infected files on computer





You have been compromised. :flowers:

I suggest that if you use this computer for business/financial transactions, cancel them immediately and call your bank and tell them about this problem.
You also need to change all your internet passwords like email and etc.



Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R3 - URLSearchHook: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll (file missing)
O2 - BHO: (no name) - {B87D27BB-BA04-D393-7B92-B79E8C3B52EE} - C:\WINDOWS\system32\tbfck.dll (file missing)
O4 - HKCU\..\Run: [Obhn] "C:\PROGRA~1\ICROSO~1.NET\chkdsk.exe" -vt ndrv
O20 - AppInit_DLLs: regedit.dll explorer.dll
O21 - SSODL: Comppop - {E5E55E48-CE95-41E0-B360-565020027A29} - C:\WINDOWS\system32\bootstyle.dll


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know. Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\bootstyle.dll <==file
C:\WINDOWS\system32\regedit.dll <==file
C:\WINDOWS\system32\explorer.dll <==file
C:\PROGRA~1\ICROSO~1.NET\chkdsk.exe <==file Be careful to delete the correct chkdsk.exe in the in folder ICROSO~1.NET.
Do NOT delete anything in the legit folder MICROSO~1.NET


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Finally, reboot to the Normal Mode and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 12 November 2006 - 11:56 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 AmberD

AmberD
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 12 November 2006 - 12:33 PM

Hey, well you have me completely paranoid now!! Will you be able to tell if these suckers are gone for real?? I fixed the requested files using hijackthis. I deleted bootstyle.dll but the following two weren't found

C:\WINDOWS\system32\regedit.dll <==file
C:\WINDOWS\system32\explorer.dll <==file

Also, I couldn't find chkdsk.exe in the folder specified but I did find one in C:\QooBox\Purity\Program Files\ICROSO~1.net

I DIDN'T delete it because it wasn't in the folder you specified. You can let me know if I should or not.

Ran CCleaner, and here is my new Hijackthis log!

Thanks for the help, I hope I can get rid of these things!
Amber


Logfile of HijackThis v1.99.1
Scan saved at 11:23:24 AM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 AM

Posted 12 November 2006 - 02:56 PM

Hi AmberD,

Hey, well you have me completely paranoid now!!


A little paranoia is OK, as it keeps you alert for malware. Not to worry, I think we have the malware removed.

You log looks clean. :thumbsup:

Also, I couldn't find chkdsk.exe in the folder specified but I did find one in C:\QooBox\Purity\Program Files\ICROSO~1.net



That is OK, as it has been quartentined you ComboFix. If you look in the ComboFix report - Folders Quarantined -you will see it listed.

Lets run ComboFix once more. :flowers:

In normal mode:
1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not proceed with the rest of the fix if you fail to run combofix
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.




Go here and run the this online scan, allow it to delete whatever is found:

Panda ActiveScan
Note: This Scanner is for Internet Explorer Only!
Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes, so be patient)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Note any thing that can't be fixed

Please post the contents of Panda scan
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 AmberD

AmberD
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 12 November 2006 - 06:31 PM

Here are my new ComboFix & Activescan logs. I thought it disinfected all the files that were found but at the end this file was still there under possible threats: C:\QooBox\Purity\Program Files\ICROSO~1.NET\chkdsk.exe

I haven't noticed any annoying pop ups all afternoon so I'm pretty excited about that!! Thanks for all the help!


Amber - 06-11-12 14:08:42.53 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Amber\My Documents\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Amber\Application Data\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\ASKS~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\DOBE~1
C:\QooBox\Purity\Documents and Settings\Amber\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\ECURIT~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Amber\My Documents\YMANTE~1
C:\QooBox\Purity\Program Files\DOBE~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\SMBOLS~1
C:\QooBox\Purity\Program Files\TSKS~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1
C:\QooBox\Purity\Program Files\Common Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\STEM32~1
C:\QooBox\Purity\Program Files\DOBE~1\?ystem32
C:\QooBox\Purity\Program Files\DOBE~1\?dobe
C:\QooBox\Purity\Program Files\ICROSO~1.NET\chkdsk.exe
C:\QooBox\Purity\Program Files\ICROSO~1.NET\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\ASEMBL~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET\M?crosoft.NET
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1\?icrosoft


((((((((((((((((((((((((((((((( Files Created from 2006-10-12 to 2006-11-12 ))))))))))))))))))))))))))))))))))


2006-11-12 11:56 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-11 17:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-30 07:27 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-10-30 07:27 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-10-27 15:09 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 02:44 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 13:05 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:58 61,952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 266,752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:27 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-12 12:04 -------- d-------- C:\Program Files\Common Files
2006-11-12 12:03 -------- d-------- C:\Program Files\Internet Explorer
2006-11-12 11:23 -------- d-------- C:\Program Files\Hijackthis
2006-11-12 10:46 -------- d-------- C:\Program Files\CCleaner
2006-11-11 17:41 -------- d-------- C:\Program Files\Grisoft
2006-11-11 09:46 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-11 09:45 -------- d-------- C:\Program Files\MSN Messenger
2006-11-11 09:44 -------- d-------- C:\Program Files\Messenger
2006-11-11 09:41 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-10 21:12 -------- d-------- C:\Program Files\Common Files\Real
2006-11-10 21:12 -------- d-------- C:\Documents and Settings\Amber\Application Data\Real
2006-11-10 20:09 -------- d-------- C:\Documents and Settings\Amber\Application Data\Lavasoft
2006-11-10 20:08 -------- d-------- C:\Program Files\Lavasoft
2006-11-06 17:47 -------- d-------- C:\Program Files\Registry Mechanic
2006-11-02 21:42 -------- d-------- C:\Program Files\Comprehensive Review 3e
2006-10-30 07:27 -------- d-------- C:\Program Files\XviD
2006-10-28 09:49 -------- d-------- C:\Documents and Settings\Amber\Application Data\àppPatch
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-20 19:33 -------- d-------- C:\Program Files\Common Files\àppPatch
2006-10-19 09:17 -------- d-------- C:\Program Files\Real
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 17:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
@="C:\\WINDOWS\\Options\\OEMReset.exe /Audit"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PDUiP6600DMon"="C:\\Program Files\\Canon\\Memory Card Utility\\iP6600D\\PDUiP6600DMon.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SoundMan"="SOUNDMAN.EXE"
"RegistryMechanic"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,80,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Obhn"="\"C:\\PROGRA~1\\DOBE~1\\chkntfs.exe\" -vt ndrv"
@="C:\\WINDOWS\\System32\\DDPLAY~1.EXE"
"Cqebr"="C:\\Documents and Settings\\Amber\\Application Data\\??mantec\\??oolsv.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Obhn"="\"C:\\PROGRA~1\\DOBE~1\\chkntfs.exe\" -vt ndrv"
@="C:\\WINDOWS\\System32\\DDPLAY~1.EXE"
"Cqebr"="C:\\Documents and Settings\\Amber\\Application Data\\??mantec\\??oolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Amber.job

Completion time: 06-11-12 14:09:27.10
C:\ComboFix.txt ... 06-11-12 14:09
C:\ComboFix2.txt ... 06-11-11 17:36



Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Amber\Cookies\amber@2o7[2].txt
Possible Virus. Not disinfected C:\QooBox\Purity\Program Files\ICROSO~1.NET\chkdsk.exe
Adware:adware/sahagent Not disinfected C:\WINDOWS\bundle_mediamotor1004.exe
Potentially unwanted tool:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\thin-143-1-x-x.exe
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
Spyware:spyware/adclicker Not disinfected C:\WINDOWS\usta33.ini

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 AM

Posted 12 November 2006 - 07:02 PM

Hi Amber,

I thought it disinfected all the files that were found but at the end this file was still there under possible threats: C:\QooBox\Purity\Program Files\ICROSO~1.NET\chkdsk.exe




Not to worry. :thumbsup:
ComboFix creates a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. You can delete C:\QooBox\ folder.

Panda found some malware remenents, so you can delete these files:
C:\WINDOWS\bundle_mediamotor1004.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\thin-143-1-x-x.exe
C:\WINDOWS\ubber60.ini
C:\WINDOWS\usta33.ini

Let me know how your computer is running. :flowers:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 AmberD

AmberD
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 13 November 2006 - 03:28 PM

Thank you so much for all your help...you're a computer genius!! :thumbsup:

Computer seems to be running great, I haven't had any pop ups at all today so I'm very happy....you were super fast and efficient, thanks soooo much!

Amber

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 AM

Posted 13 November 2006 - 04:00 PM

Hi Amber,

Thats good to hear, and you are very welcome for the help.
I hope your computer continues to run smoothly for you. :thumbsup:


Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Please read and follow How did I get infected?, With steps so it does not happen again! :flowers:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users