Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantic Email Proxy Pop-ups Hijackthis Log Included


  • This topic is locked This topic is locked
16 replies to this topic

#1 kerriwfc

kerriwfc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 29 March 2007 - 11:19 AM

I have a laptop that is pretty infected with who knows what. I found several trojans and spyware and have tried to remove them. At one point in time, I was getting the System Alert Pop-ups but I got those taken care of. I have ran Spybot Search and Destroy, AdAware, Webroot, Symantic Antivirus, HouseCall, Panda (which never finished because the internet browser closed in the middle of the scan), tried to run Bit Defender (never could get it to download), and Stinger. All of my Windows Updates are done and the Windows Firewall is enabled. I ran HijackThis and the log file is below. Please help!


Logfile of HijackThis v1.99.1
Scan saved at 11:15:25 AM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ctnolhm.exe
O2 - BHO: (no name) - {b6e114c4-10ea-4322-aa32-60d49f0f3933} - C:\WINDOWS\system32\ati3ess.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\SBailey\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [hdlfoe df98ndf] C:\DOCUME~1\SBailey\LOCALS~1\Temp\svchots.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159415372838
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ati3ess - C:\WINDOWS\SYSTEM32\ati3ess.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNtf.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 29 March 2007 - 03:21 PM

Hello,

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\ati3ess.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ctnolhm.exe
O2 - BHO: (no name) - {b6e114c4-10ea-4322-aa32-60d49f0f3933} - C:\WINDOWS\system32\ati3ess.dll
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\SBailey\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [hdlfoe df98ndf] C:\DOCUME~1\SBailey\LOCALS~1\Temp\svchots.exe
O20 - Winlogon Notify: ati3ess - C:\WINDOWS\SYSTEM32\ati3ess.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from Vundofix. (C:\Vundofix.txt)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kerriwfc

kerriwfc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 29 March 2007 - 04:12 PM

Okay, I have done what you have asked and here are the logs...

Vundo.txt:


VundoFix V6.3.18

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 3:30:48 PM 3/29/2007

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\ati3ess.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ati3ess.dll
C:\WINDOWS\SYSTEM32\ati3ess.dll Has been deleted!

Performing Repairs to the registry.
Done!


ComboFix:

"SBailey" - 07-03-29 15:47:57 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\SBailey\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1395OinUninstaller.exe
C:\DOCUME~1\SBailey\Desktop.\internet explorer.lnk
C:\WINDOWS\invupd.exe
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\SYSTEM32\CROSOF~1
C:\qoobox\purity\WINDOWS\SYSTEM32\YMBOLS~1
C:\qoobox\purity\WINDOWS\SYSTEM32\CROSOF~1\ping.exe
C:\qoobox\purity\WINDOWS\SYSTEM32\CROSOF~1\??crosoft
C:\qoobox\purity\WINDOWS\SYSTEM32\YMBOLS~1\??erinit.exe


((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-29 ))))))))))))))))))))))))))))))))))


2007-03-29 15:30 <DIR> d-------- C:\VundoFix Backups
2007-03-28 15:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-03-28 15:45 <DIR> d-------- C:\DOCUME~1\SBailey\.housecall6.6
2007-03-28 15:11 <DIR> d-------- C:\DOCUME~1\SBailey\APPLIC~1\Lavasoft
2007-03-28 09:21 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-03-26 09:26 87,768 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-03-26 09:26 108,168 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-03-26 09:25 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-03-26 09:02 3,188 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-03-23 09:32 <DIR> d-------- C:\Program Files\3B Software
2007-03-21 13:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Seven Zip
2007-03-21 13:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\PhotoWorks
2007-03-21 13:19 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-03-21 13:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-03-21 12:01 <DIR> d-------- C:\fd9f348566b82c50509c399a8f18
2007-03-20 16:08 1,152 --a------ C:\WINDOWS\SYSTEM32\windrv.sys
2007-03-20 15:40 <DIR> d-------- C:\WINDOWS\CSC
2007-03-20 14:05 <DIR> d-------- C:\DOCUME~1\SBailey\APPLIC~1\Webroot
2007-03-20 14:04 <DIR> d-------- C:\Program Files\Webroot


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-29 08:56 -------- d-------- C:\Program Files\quicktime
2007-03-29 08:42 -------- d-------- C:\Program Files\google
2007-03-29 08:42 -------- d-------- C:\Program Files\dell support
2007-03-28 15:11 -------- d-------- C:\Program Files\lavasoft
2007-03-26 09:26 -------- d-------- C:\Program Files\symantec
2007-03-23 14:22 902 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2007-03-23 14:02 -------- d-------- C:\Program Files\yahoo!
2007-03-21 15:20 -------- d-------- C:\Program Files\java
2007-03-21 13:40 -------- d-------- C:\DOCUME~1\SBailey\APPLIC~1\photoworks
2007-03-21 13:39 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 13:38 -------- d-------- C:\Program Files\limewire
2007-03-21 13:37 -------- d-------- C:\Program Files\irfanview
2007-03-21 13:37 -------- d-------- C:\Program Files\divx
2007-02-24 03:42 -------- d-------- C:\DOCUME~1\SBailey\APPLIC~1\viewpoint
2007-02-23 21:23 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-02-17 15:12 -------- d-------- C:\Program Files\morpheusbar
2007-02-17 15:12 -------- d-------- C:\Program Files\morpheus
2007-01-30 00:03 36624 --------- C:\WINDOWS\SYSTEM32\DRIVERS\pxhelp20.sys
2007-01-30 00:03 129784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-01-30 00:03 118520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-01-30 00:03 116472 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NDPS"="C:\\WINDOWS\\system32\\dpmw32.exe"
"ZENRC Tray Icon"="zentray.exe"
"NWTRAY"="NWTRAY.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SpySweeperEnterprise"="\"C:\\Program Files\\Webroot\\Enterprise\\Spy Sweeper\\SpySweeperUI.EXE\" /StartInTray"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"item"="DVDLauncher"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"item"="iTunesHelper"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"item"="Picasa Media Detector"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
"item"="SNM"
"command"="C:\\Program Files\\SpyNoMore\\SNM.exe /startup"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="ziswin.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a5bd250-7aeb-11d9-8270-000f1f22e339}]
Shell\AutoRun\command E:\JDSecure\Windows\JDSecure20.exe


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-29 15:56:22


And last but not least, new HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:20 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159415372838
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNtf.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 29 March 2007 - 04:21 PM

Hi,

Your log looks clean again.

Browse to and delete next files:

C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\winpfg32.sys

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kerriwfc

kerriwfc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 29 March 2007 - 04:49 PM

Well, no more than I deleted the files you told me to and the pop-ups started again. Any other ideas?????

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 29 March 2007 - 05:10 PM

What popups are you exactly getting?
Can you post a new HijackThislog?

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\SYSTEM32\windrv.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Edited by miekiemoes, 29 March 2007 - 05:14 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kerriwfc

kerriwfc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 30 March 2007 - 09:02 AM

Sorry it took me so long to get back to you! The last posting I made was right at the end of my work day. The pop-ups I am talking about are the symantec proxy email pop-ups. It seems like something has taken over the laptop and is using it as a spamming machine. The symantec proxy email pop-ups say that the email can't be delivered because the email account doesn't exist or it was denied because of the black list, etc. Also, Internet Explorer is not displaying the webpages correctly. None of the pictures come up, there is just a red X there. I tried running Panda Antivirus again but it still closed in the middle of the scan. It does show that there are 32 Spyware and 1 Hacking Tools on the laptop before it closes.

Here is the viruetotal log:

Complete scanning result of "windrv.sys", received in VirusTotal at 03.30.2007, 15:28:45 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.30.0 03.30.2007 no virus found
AntiVir 7.3.1.46 03.30.2007 no virus found
Authentium 4.93.8 03.30.2007 no virus found
Avast 4.7.936.0 03.30.2007 no virus found
AVG 7.5.0.447 03.29.2007 no virus found
BitDefender 7.2 03.30.2007 no virus found
CAT-QuickHeal 9.00 03.29.2007 no virus found
ClamAV devel-20070312 03.30.2007 no virus found
DrWeb 4.33 03.30.2007 no virus found
eSafe 7.0.15.0 03.29.2007 no virus found
eTrust-Vet 30.6.3524 03.30.2007 no virus found
Ewido 4.0 03.30.2007 no virus found
FileAdvisor 1 03.30.2007 no virus found
Fortinet 2.85.0.0 03.30.2007 no virus found
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 03.30.2007 no virus found
Ikarus T3.1.1.3 03.30.2007 no virus found
Kaspersky 4.0.2.24 03.30.2007 no virus found
McAfee 4995 03.29.2007 no virus found
Microsoft 1.2306 03.30.2007 no virus found
NOD32v2 2157 03.30.2007 no virus found
Norman 5.80.02 03.30.2007 no virus found
Panda 9.0.0.4 03.30.2007 no virus found
Prevx1 V2 03.30.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.29.2007 no virus found
Symantec 10 03.30.2007 no virus found
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 03.29.2007 no virus found
VirusBuster 4.3.7:9 03.29.2007 no virus found
Webwasher-Gateway 6.0.1 03.30.2007 no virus found

Aditional Information
File size: 1152 bytes
MD5: 87b8f466b9be96bdf041e186732ed9cf
SHA1: a07b8c0ab07a1d427279eed8aa381f38817bc90b
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:33 AM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159415372838
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNtf.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 30 March 2007 - 09:17 AM

The symantec proxy email pop-ups say that the email can't be delivered because the email account doesn't exist or it was denied because of the black list, etc

Do you get this when you sent mails?

Also, Internet Explorer is not displaying the webpages correctly. None of the pictures come up, there is just a red X there

Is any scanner blocking the images? Also look in your Internet Settings > advanced and set everything to default there.
Also, start your computer in Windows Safe mode (with networking support) and open your Internet Explorer. Look if images appear then. If so, then it's a third party tool (most probably Symantec or Spysweeper) blocking the images, since these scanners don't run in Safe mode.

I also already asked you before to clean cache and cookies.. not sure if you done this.

Do next as well..

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need that log later..

And, It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
do not use the scan yet

--------------------------

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
-------------------------
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post the following logs in your next reply:

* Log from DrWeb CureIt
* Log from SDFix
* Log from blacklight

Edited by miekiemoes, 30 March 2007 - 09:18 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kerriwfc

kerriwfc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 30 March 2007 - 03:22 PM

QUOTE
The symantec proxy email pop-ups say that the email can't be delivered because the email account doesn't exist or it was denied because of the black list, etc
Do you get this when you sent mails?

No, I am not sending mail when I get this message. They just start popping up after the computer has been up for a couple of minutes. But, they only come up if I am logged in as SBAILEY. When I log in as admin they do not come up.


QUOTE
Also, Internet Explorer is not displaying the webpages correctly. None of the pictures come up, there is just a red X there
Is any scanner blocking the images? Also look in your Internet Settings > advanced and set everything to default there.
Also, start your computer in Windows Safe mode (with networking support) and open your Internet Explorer. Look if images appear then. If so, then it's a third party tool (most probably Symantec or Spysweeper) blocking the images, since these scanners don't run in Safe mode.

The images come up fine when I log in as admin. Only when I log in as SBAILEY do they not pull up.


I have cleaned the cache and cookies and temp files every time you have asked me to.

Blacklight did not find any files. Here is the log file:

03/30/07 10:23:42 [Info]: BlackLight Engine 1.0.61 initialized
03/30/07 10:23:42 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/30/07 10:23:49 [Note]: 7019 4
03/30/07 10:23:49 [Note]: 7005 0
03/30/07 10:24:11 [Note]: 7006 0
03/30/07 10:24:11 [Note]: 7011 3912
03/30/07 10:24:13 [Note]: 7026 0
03/30/07 10:24:14 [Note]: 7026 0
03/30/07 10:24:22 [Note]: FSRAW library version 1.7.1021
03/30/07 10:35:19 [Note]: 7007 0


Dr. Web-cureit I had some problems with. I booted the machine in safe mode and logged in as SBAILEY. I ran the program and it did find one thing that it cured on the first scan. It said the file was infected with Win32.Grum. Then I made the changes like you said and after the scan was running about an hour (the status bar was about half way through) the machine shut off. I tried it again two other times and it did the same thing, but it wasn't always in the same place. I was not able to save a log file.

I went ahead and ran the SDFix and here are the log files from it:


SDFix: Version 1.75

Run by SBailey - Fri 03/30/2007 - 14:54:36.35

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:





Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\dpmw32.exe"="C:\\WINDOWS\\SYSTEM32\\dpmw32.exe:*:Enabled:NDPS RPM & Notification Listener"
"C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe:*:Disabled:GoogleToolbarNotifier"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------


Checking For Files with Hidden Attributes :

C:\Program Files\Picasa2\setup.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0838e3ca46c974d22be0ec664b800381\BIT1D.tmp
C:\WINDOWS\Temp\CS030E3FAE-26B1-4026-8E2C-0863BF2CE384.tmp
C:\WINDOWS\Temp\CS04C65D0B-B8CE-4458-A100-FFC71CADB537.tmp
C:\WINDOWS\Temp\CS06B6F656-0A4D-4827-9B45-A3C8AA21115B.tmp
C:\WINDOWS\Temp\CS0A81EAA6-E9E9-4DF0-93E3-E4213CE1356D.tmp
C:\WINDOWS\Temp\CS0B3CD5D0-5BBD-453F-A91A-2151D97A8EC2.tmp
C:\WINDOWS\Temp\CS1109C984-B94F-4E61-BDA7-5E87EA153F8B.tmp
C:\WINDOWS\Temp\CS122ACC79-FB46-4B01-AA09-8FC7B08EA2C7.tmp
C:\WINDOWS\Temp\CS1312F846-0643-447C-A6A0-C4F056A9D6E8.tmp
C:\WINDOWS\Temp\CS14F166FC-1E54-4332-8995-89F0EEEB2E87.tmp
C:\WINDOWS\Temp\CS16515061-D46B-47D4-9F3D-1067E57007AA.tmp
C:\WINDOWS\Temp\CS172AFBF0-0373-4344-94A4-BDB15A9D2706.tmp
C:\WINDOWS\Temp\CS1832559F-7943-4563-BF2E-BB5A39358771.tmp
C:\WINDOWS\Temp\CS1B785599-8D6D-426E-8D19-C15FE65C8493.tmp
C:\WINDOWS\Temp\CS1BA8EF86-DD29-475B-BEE6-94E5632E9DCB.tmp
C:\WINDOWS\Temp\CS1BF4CE5C-3A46-428C-B2EB-C458BDBA0A25.tmp
C:\WINDOWS\Temp\CS1D51C33D-0A29-4676-9DAC-156DF2FAB883.tmp
C:\WINDOWS\Temp\CS1E1A31D0-16D0-49B2-8CE2-2EB0E50BBC18.tmp
C:\WINDOWS\Temp\CS1F737BA4-6695-490F-9117-A7A280F0963A.tmp
C:\WINDOWS\Temp\CS1FD1834F-D2C3-481F-B92C-401E1B8E9BEC.tmp
C:\WINDOWS\Temp\CS1FD4989A-1E80-4A15-A035-30CAFEEC205C.tmp
C:\WINDOWS\Temp\CS21201F30-AF3A-4D5B-A9F5-BFBBEF0F4357.tmp
C:\WINDOWS\Temp\CS21718822-0900-4BB9-9385-AF2D9B655D14.tmp
C:\WINDOWS\Temp\CS218913AB-2BDA-4135-AFDE-473BABF10472.tmp
C:\WINDOWS\Temp\CS27FFF962-E138-40C9-A8BB-96E90BC21005.tmp
C:\WINDOWS\Temp\CS29440ECE-EAE8-46CE-8983-737069D3859E.tmp
C:\WINDOWS\Temp\CS2BDDB6D7-A0FA-4A82-A8B7-10EA6F4D2DBF.tmp
C:\WINDOWS\Temp\CS32E3B074-A2EA-4384-A11D-29A9FEEA7A16.tmp
C:\WINDOWS\Temp\CS346E94D9-F099-474A-8AC4-930DFFFCA789.tmp
C:\WINDOWS\Temp\CS35C051BA-6B4D-4F61-BA33-3E69D66060C6.tmp
C:\WINDOWS\Temp\CS35F084A1-B728-4414-A3BE-D426BC77A3D4.tmp
C:\WINDOWS\Temp\CS416C4A52-5CF6-4A92-8A03-9417F1D00429.tmp
C:\WINDOWS\Temp\CS4400F708-129E-49E1-92D9-334CDBD44708.tmp
C:\WINDOWS\Temp\CS458B41AE-5B7F-433F-99E8-E7404F11B08B.tmp
C:\WINDOWS\Temp\CS45BE1064-AEA0-4179-89D5-FCC7D98ADAA1.tmp
C:\WINDOWS\Temp\CS4AC03B1F-224E-4DED-946F-5633455797EB.tmp
C:\WINDOWS\Temp\CS4C41803A-4AA9-4B28-A793-C31097CA98EB.tmp
C:\WINDOWS\Temp\CS4D4FAD47-3EE8-4EB6-B845-53E42919E486.tmp
C:\WINDOWS\Temp\CS513FA9F2-AB3C-4484-81C7-3CEAF2A52424.tmp
C:\WINDOWS\Temp\CS529DDB7A-4419-4ADB-A632-E829C748F4ED.tmp
C:\WINDOWS\Temp\CS531DD65E-A225-478A-9927-322CA8B3EC05.tmp
C:\WINDOWS\Temp\CS55DEEB75-68B1-4215-82F1-1BEFD148124A.tmp
C:\WINDOWS\Temp\CS5BB42492-B7B8-48EB-A21F-560068EABDD9.tmp
C:\WINDOWS\Temp\CS5FDB679B-771B-4633-AF98-B0D64C3AC823.tmp
C:\WINDOWS\Temp\CS60F4E741-50E0-496E-9D6B-6971AC9D96D6.tmp
C:\WINDOWS\Temp\CS61492B3E-4547-4304-BE7B-B218A205E2BC.tmp
C:\WINDOWS\Temp\CS67AB0F9A-BEFC-4B3D-92FF-DD474CA24CA8.tmp
C:\WINDOWS\Temp\CS6A93F288-128C-4BBB-A8B0-6F05286D24F0.tmp
C:\WINDOWS\Temp\CS6B0E282F-1DCD-4C21-B712-92D61DE8F573.tmp
C:\WINDOWS\Temp\CS7113F3E6-8C3D-4AEE-8078-9B53020A5522.tmp
C:\WINDOWS\Temp\CS7498A6E7-ACDD-477B-BA59-6D5860C6E224.tmp
C:\WINDOWS\Temp\CS74B65801-E929-46EE-884A-68F52360EBCE.tmp
C:\WINDOWS\Temp\CS7A15095B-B3AA-41C1-8074-79A940A59289.tmp
C:\WINDOWS\Temp\CS7DB87575-0CC9-4E9F-8B12-26D0DF57D519.tmp
C:\WINDOWS\Temp\CS7F162EC9-C6D2-4033-8A9D-061BDA2658C3.tmp
C:\WINDOWS\Temp\CS7FEBE8BC-306B-40D9-918A-802FEA412593.tmp
C:\WINDOWS\Temp\CS80F88BCC-4819-44F7-98E2-46A0545E3A9C.tmp
C:\WINDOWS\Temp\CS84137004-81FD-4CD8-9CA1-C1FD6CA0B1DC.tmp
C:\WINDOWS\Temp\CS851593BB-83FA-43D9-8DA7-6891EBAB20EF.tmp
C:\WINDOWS\Temp\CS86372196-8F96-4B13-B625-D32115FFD754.tmp
C:\WINDOWS\Temp\CS86767E9C-765D-4958-A241-E460A92772E5.tmp
C:\WINDOWS\Temp\CS8752C276-3C6F-413F-BA7A-DBA0365F59CF.tmp
C:\WINDOWS\Temp\CS8D9A2B52-46B8-4A79-80F9-0516325BFCE6.tmp
C:\WINDOWS\Temp\CS8DD9E6E1-C227-4FCE-8C06-67D4EBA0B31D.tmp
C:\WINDOWS\Temp\CS906E3431-34B9-425D-A526-C4011B3FBA1C.tmp
C:\WINDOWS\Temp\CS90DD64B4-9914-4266-8B0F-DC4A8399C324.tmp
C:\WINDOWS\Temp\CS9286996F-3C9C-420C-8845-DFB8B0DBC758.tmp
C:\WINDOWS\Temp\CS9D7B9AEE-F1A8-4BD3-9493-E3CAF5B2E9F8.tmp
C:\WINDOWS\Temp\CSA05139D3-4706-46E7-B280-C25FE4847E2E.tmp
C:\WINDOWS\Temp\CSA408F102-B3DE-4DBF-B138-58E25C6DDCD3.tmp
C:\WINDOWS\Temp\CSADED89F9-8CC8-47B1-A2F0-4DCA021D9625.tmp
C:\WINDOWS\Temp\CSB160CFC7-4488-4B31-9A13-D545B3AA2D1F.tmp
C:\WINDOWS\Temp\CSBAC9C394-7F65-4D09-991B-0D1186247F99.tmp
C:\WINDOWS\Temp\CSBBACEEFA-B731-4E87-BAEA-016C304A8891.tmp
C:\WINDOWS\Temp\CSBBDE6384-1612-4858-9A06-92AF6CFE08D7.tmp
C:\WINDOWS\Temp\CSC3714D33-6383-4DBF-AEE2-6ED9480BCBE4.tmp
C:\WINDOWS\Temp\CSC551A4AA-919A-4B8A-8D8E-C33A3E96F2AE.tmp
C:\WINDOWS\Temp\CSC58C15C8-2A5B-42B8-BC07-9864FE48EFC5.tmp
C:\WINDOWS\Temp\CSCABF3EFB-0800-4FB8-ABAD-B0402C956FC0.tmp
C:\WINDOWS\Temp\CSD13903CF-90D3-4C8A-8AA2-AB596E2CAFC4.tmp
C:\WINDOWS\Temp\CSD2665881-7AD1-4D81-91C5-629C29966006.tmp
C:\WINDOWS\Temp\CSD854E730-7B0C-45D4-83E3-514458A2E196.tmp
C:\WINDOWS\Temp\CSD9BFB446-9F18-49DB-8590-111BA7C32924.tmp
C:\WINDOWS\Temp\CSDA937376-BD32-4657-93A5-222702410EB3.tmp
C:\WINDOWS\Temp\CSDDC95E03-7D4D-4E5B-80A7-39C41B332EC1.tmp
C:\WINDOWS\Temp\CSDE193569-BA90-494B-9C77-ED54AE25B5C9.tmp
C:\WINDOWS\Temp\CSE1BFFD9E-AFCA-4CC6-AD81-4F4EFE4D46ED.tmp
C:\WINDOWS\Temp\CSE3337A49-1655-488F-B02A-7911F959EDB5.tmp
C:\WINDOWS\Temp\CSEA3E6D48-F590-422C-AE33-51C575523789.tmp
C:\WINDOWS\Temp\CSEA6BAD83-B652-4B25-95EE-1913CB24B613.tmp
C:\WINDOWS\Temp\CSEAAE3A22-052F-4505-B92B-CEBC865C8A2A.tmp
C:\WINDOWS\Temp\CSEAC66627-5347-4A0E-AEF6-CC3C4C36B609.tmp
C:\WINDOWS\Temp\CSEDC48BF2-2D3E-470F-AF69-833122A670DA.tmp
C:\WINDOWS\Temp\CSF0F938A0-34CA-46BB-BE5E-C9BFDE093546.tmp
C:\WINDOWS\Temp\CSF46C54D7-875C-49DC-B520-FBCE75960E2C.tmp
C:\WINDOWS\Temp\CSF5FE721B-F6E5-4776-9524-3282FDC08FEA.tmp
C:\WINDOWS\Temp\CSFA264E57-5E9E-42C4-82B0-BEE5C996FCAA.tmp
C:\WINDOWS\Temp\CSFC1BCD06-5E41-41F5-A2F9-9ACA928053A8.tmp
C:\WINDOWS\Temp\CSFC2EEB7F-6AE3-4CB6-818A-79A8D2534894.tmp
C:\WINDOWS\Temp\CSFDA27FD1-45A8-4DA3-B3CB-7AB4EE7DE93B.tmp
C:\WINDOWS\Temp\CSFEA41448-2C7E-4197-9DB6-ECBD2416C97F.tmp
C:\WINDOWS\Temp\CSFFF1793E-1328-4824-A46D-AAA302A8054A.tmp

Finished

When this finished it asked me to run Catchme and here is the log file from it:

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Also, now I have an application error from WMRUNDLL.EXE that pops up four times when I start the computer and 4 times when I shut the computer down.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 30 March 2007 - 03:38 PM

Hi,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option. !! important step !!
Click Yes to confirm.
Click OK.

Delete the entire contents of next folder:

C:\WINDOWS\Temp

The WMRUNDLL.EXE error is related with your Novell Workstation. Guess something got corrupted in there - which doesn't suprise me at all, because malware damages a lot. Do you get this error also on the Admin account?
If so, It may be a good idea to reinstall your Novell Workstation.

Looks like the main problem exists on the SBAILEY account, most damage is present there - also the fact that images in Internet Explorer do not appear on that account makes me think that the cache got corrupted, actually the entire useraccount sounds like being corrupted. You don't have any problem on the admin account as you say.
I guess the best action to take here is to delete the SBAILEY account and create another account instead.

Let's have a final scan with Kaspersky online to get rid of the leftovers..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 30 March 2007 - 04:24 PM

Extra question - since the main problem appears on the SBailey account -- it is actually that useraccount which is infected, since the malware is/was running from the C:\DOCUME~1\SBailey\LOCALS~1\Temp - folder (cache) previously - which also explains why Internet Explorer may show broken images since most probably the cache got corrupted or is full.
That's why I also asked to clean cache and cookies. So not sure from what account you exactly did this, because if you're doing this from the Admin account, it will only clean cache etc only for the admin account and leaves the infected files on the SBailey account.
So if these files are still present there, that explains why it's still sending mails.
That also explains why you don't have that problem on the Admin account.

Anyway, the Kaspersky scan will tell, it scans all useraccounts / temp folders as well.
As I already said previously, I've seen this infection damaging/corrupting entire userprofiles previously and it wouldn't suprise me that this is the same case here even though.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 31 March 2007 - 03:31 PM

I've been doing more research on this infection you are dealing with.
Here's more info:
http://www.trendmicro.com/vinfo/virusencyc...2DO&VSect=P

It appends its code in all .EXE files with an autorun registry entry in HKEY_CURRENT_USER. All infected files are detected by Trend Micro as PE_GRUM.B.


Which in your case is:

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

And that explains why nothing suspicious is seen in logs since it patches legit files.
In your case, from your Combofix-log, I *do see next being recently modified:

2007-03-29 08:42 -------- d-------- C:\Program Files\google
2007-03-29 08:42 -------- d-------- C:\Program Files\dell support

which point to:

C:\Program Files\Dell Support\DSAgnt.exe and C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe from your HijackThislog, so this means these files are infected.

However, I do not see the ctfmon.exe being modified.

Anyway, what I suggest you do here is -- check and fix next entries in Hijackthis:

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

Then delete next files:

C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

Above files are not really required anyway, it's only an updater for Googletoolbar and the DSAgnt.exe also offers updates. Most people disable them anyway. You can always reinstall Dell Support and googletoolbar again to get these files back.

Concerning ctfmon.exe. Normally, as it says in the description, it should patch ctfmon.exe as well. Although I don't see it anywhere being modified in your combofixlog. But just to be on the safe side, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Windows\system32\ctfmon.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Normally your Symantec should recognise it though, so make sure you update your Antivirus and let it perform a full scan.

Also, don't forget to perform the step with Kaspersky online.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 kerriwfc

kerriwfc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 02 April 2007 - 01:10 PM

I have tried to delete the contents of the C:/Windows/Temp folder, but I get a message that the files can't be deleted because they are in use no matter what user I log in as. I booted it up into safe mode and was able to delete them.

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 02, 2007 12:40:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/04/2007
Kaspersky Anti-Virus database records: 289939
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58588
Number of viruses found: 7
Number of infected objects: 24
Number of suspicious objects: 0
Duration of the scan process: 02:01:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B480000.VBN/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B480000.VBN/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B480000.VBN/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B480000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B480000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B480002.VBN Infected: Trojan-Downloader.Win32.Agent.avf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100001.VBN Infected: Trojan-Downloader.JS.Small.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100003.VBN Infected: Trojan-Downloader.JS.Small.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140000.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140002.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140004.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140006.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140008.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000A.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000C.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000E.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D400000.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280001.VBN Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SBailey\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\SBailey\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\cert8.db Object is locked skipped
C:\Documents and Settings\SBailey\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\SBailey\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\history.dat Object is locked skipped
C:\Documents and Settings\SBailey\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\key3.db Object is locked skipped
C:\Documents and Settings\SBailey\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\parent.lock Object is locked skipped
C:\Documents and Settings\SBailey\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\ttncgqiu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SBailey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SBailey\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SBailey\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Audible\Admin\atm.log Object is locked skipped
C:\Program Files\Audible\Admin\audible_log.txt Object is locked skipped
C:\Program Files\Audible\Admin\playlist.ap Object is locked skipped
C:\Program Files\Audible\Bin\CDLog.ini Object is locked skipped
C:\Program Files\Audible\Bin\Details.html Object is locked skipped
C:\Program Files\Audible\Bin\Picture.jpg Object is locked skipped
C:\Program Files\Audible\Bin\Update.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0317NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0728NAV~.TMP Object is locked skipped
C:\Program Files\Webroot\Enterprise\Spy Sweeper\Logs\ClientSessionLog.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\CS030E3FAE-26B1-4026-8E2C-0863BF2CE384.tmp Object is locked skipped
C:\WINDOWS\Temp\CS04C65D0B-B8CE-4458-A100-FFC71CADB537.tmp Object is locked skipped
C:\WINDOWS\Temp\CS06B6F656-0A4D-4827-9B45-A3C8AA21115B.tmp Object is locked skipped
C:\WINDOWS\Temp\CS0A81EAA6-E9E9-4DF0-93E3-E4213CE1356D.tmp Object is locked skipped
C:\WINDOWS\Temp\CS0B3CD5D0-5BBD-453F-A91A-2151D97A8EC2.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1109C984-B94F-4E61-BDA7-5E87EA153F8B.tmp Object is locked skipped
C:\WINDOWS\Temp\CS122ACC79-FB46-4B01-AA09-8FC7B08EA2C7.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1312F846-0643-447C-A6A0-C4F056A9D6E8.tmp Object is locked skipped
C:\WINDOWS\Temp\CS14F166FC-1E54-4332-8995-89F0EEEB2E87.tmp Object is locked skipped
C:\WINDOWS\Temp\CS16515061-D46B-47D4-9F3D-1067E57007AA.tmp Object is locked skipped
C:\WINDOWS\Temp\CS172AFBF0-0373-4344-94A4-BDB15A9D2706.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1832559F-7943-4563-BF2E-BB5A39358771.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1B785599-8D6D-426E-8D19-C15FE65C8493.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1BA8EF86-DD29-475B-BEE6-94E5632E9DCB.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1BF4CE5C-3A46-428C-B2EB-C458BDBA0A25.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1D51C33D-0A29-4676-9DAC-156DF2FAB883.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1E1A31D0-16D0-49B2-8CE2-2EB0E50BBC18.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1F737BA4-6695-490F-9117-A7A280F0963A.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1FD1834F-D2C3-481F-B92C-401E1B8E9BEC.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1FD4989A-1E80-4A15-A035-30CAFEEC205C.tmp Object is locked skipped
C:\WINDOWS\Temp\CS21201F30-AF3A-4D5B-A9F5-BFBBEF0F4357.tmp Object is locked skipped
C:\WINDOWS\Temp\CS21718822-0900-4BB9-9385-AF2D9B655D14.tmp Object is locked skipped
C:\WINDOWS\Temp\CS218913AB-2BDA-4135-AFDE-473BABF10472.tmp Object is locked skipped
C:\WINDOWS\Temp\CS27FFF962-E138-40C9-A8BB-96E90BC21005.tmp Object is locked skipped
C:\WINDOWS\Temp\CS29440ECE-EAE8-46CE-8983-737069D3859E.tmp Object is locked skipped
C:\WINDOWS\Temp\CS2BDDB6D7-A0FA-4A82-A8B7-10EA6F4D2DBF.tmp Object is locked skipped
C:\WINDOWS\Temp\CS32E3B074-A2EA-4384-A11D-29A9FEEA7A16.tmp Object is locked skipped
C:\WINDOWS\Temp\CS346E94D9-F099-474A-8AC4-930DFFFCA789.tmp Object is locked skipped
C:\WINDOWS\Temp\CS35C051BA-6B4D-4F61-BA33-3E69D66060C6.tmp Object is locked skipped
C:\WINDOWS\Temp\CS35F084A1-B728-4414-A3BE-D426BC77A3D4.tmp Object is locked skipped
C:\WINDOWS\Temp\CS416C4A52-5CF6-4A92-8A03-9417F1D00429.tmp Object is locked skipped
C:\WINDOWS\Temp\CS4400F708-129E-49E1-92D9-334CDBD44708.tmp Object is locked skipped
C:\WINDOWS\Temp\CS458B41AE-5B7F-433F-99E8-E7404F11B08B.tmp Object is locked skipped
C:\WINDOWS\Temp\CS45BE1064-AEA0-4179-89D5-FCC7D98ADAA1.tmp Object is locked skipped
C:\WINDOWS\Temp\CS4AC03B1F-224E-4DED-946F-5633455797EB.tmp Object is locked skipped
C:\WINDOWS\Temp\CS4C41803A-4AA9-4B28-A793-C31097CA98EB.tmp Object is locked skipped
C:\WINDOWS\Temp\CS4D4FAD47-3EE8-4EB6-B845-53E42919E486.tmp Object is locked skipped
C:\WINDOWS\Temp\CS513FA9F2-AB3C-4484-81C7-3CEAF2A52424.tmp Object is locked skipped
C:\WINDOWS\Temp\CS529DDB7A-4419-4ADB-A632-E829C748F4ED.tmp Object is locked skipped
C:\WINDOWS\Temp\CS531DD65E-A225-478A-9927-322CA8B3EC05.tmp Object is locked skipped
C:\WINDOWS\Temp\CS55DEEB75-68B1-4215-82F1-1BEFD148124A.tmp Object is locked skipped
C:\WINDOWS\Temp\CS5BB42492-B7B8-48EB-A21F-560068EABDD9.tmp Object is locked skipped
C:\WINDOWS\Temp\CS5FDB679B-771B-4633-AF98-B0D64C3AC823.tmp Object is locked skipped
C:\WINDOWS\Temp\CS60F4E741-50E0-496E-9D6B-6971AC9D96D6.tmp Object is locked skipped
C:\WINDOWS\Temp\CS61492B3E-4547-4304-BE7B-B218A205E2BC.tmp Object is locked skipped
C:\WINDOWS\Temp\CS67AB0F9A-BEFC-4B3D-92FF-DD474CA24CA8.tmp Object is locked skipped
C:\WINDOWS\Temp\CS6A93F288-128C-4BBB-A8B0-6F05286D24F0.tmp Object is locked skipped
C:\WINDOWS\Temp\CS6B0E282F-1DCD-4C21-B712-92D61DE8F573.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7113F3E6-8C3D-4AEE-8078-9B53020A5522.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7498A6E7-ACDD-477B-BA59-6D5860C6E224.tmp Object is locked skipped
C:\WINDOWS\Temp\CS74B65801-E929-46EE-884A-68F52360EBCE.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7A15095B-B3AA-41C1-8074-79A940A59289.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7DB87575-0CC9-4E9F-8B12-26D0DF57D519.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7F162EC9-C6D2-4033-8A9D-061BDA2658C3.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7FEBE8BC-306B-40D9-918A-802FEA412593.tmp Object is locked skipped
C:\WINDOWS\Temp\CS80F88BCC-4819-44F7-98E2-46A0545E3A9C.tmp Object is locked skipped
C:\WINDOWS\Temp\CS84137004-81FD-4CD8-9CA1-C1FD6CA0B1DC.tmp Object is locked skipped
C:\WINDOWS\Temp\CS851593BB-83FA-43D9-8DA7-6891EBAB20EF.tmp Object is locked skipped
C:\WINDOWS\Temp\CS86372196-8F96-4B13-B625-D32115FFD754.tmp Object is locked skipped
C:\WINDOWS\Temp\CS86767E9C-765D-4958-A241-E460A92772E5.tmp Object is locked skipped
C:\WINDOWS\Temp\CS8752C276-3C6F-413F-BA7A-DBA0365F59CF.tmp Object is locked skipped
C:\WINDOWS\Temp\CS8D9A2B52-46B8-4A79-80F9-0516325BFCE6.tmp Object is locked skipped
C:\WINDOWS\Temp\CS8DD9E6E1-C227-4FCE-8C06-67D4EBA0B31D.tmp Object is locked skipped
C:\WINDOWS\Temp\CS906E3431-34B9-425D-A526-C4011B3FBA1C.tmp Object is locked skipped
C:\WINDOWS\Temp\CS90DD64B4-9914-4266-8B0F-DC4A8399C324.tmp Object is locked skipped
C:\WINDOWS\Temp\CS9286996F-3C9C-420C-8845-DFB8B0DBC758.tmp Object is locked skipped
C:\WINDOWS\Temp\CS9D7B9AEE-F1A8-4BD3-9493-E3CAF5B2E9F8.tmp Object is locked skipped
C:\WINDOWS\Temp\CSA05139D3-4706-46E7-B280-C25FE4847E2E.tmp Object is locked skipped
C:\WINDOWS\Temp\CSA408F102-B3DE-4DBF-B138-58E25C6DDCD3.tmp Object is locked skipped
C:\WINDOWS\Temp\CSADED89F9-8CC8-47B1-A2F0-4DCA021D9625.tmp Object is locked skipped
C:\WINDOWS\Temp\CSB160CFC7-4488-4B31-9A13-D545B3AA2D1F.tmp Object is locked skipped
C:\WINDOWS\Temp\CSBAC9C394-7F65-4D09-991B-0D1186247F99.tmp Object is locked skipped
C:\WINDOWS\Temp\CSBBACEEFA-B731-4E87-BAEA-016C304A8891.tmp Object is locked skipped
C:\WINDOWS\Temp\CSBBDE6384-1612-4858-9A06-92AF6CFE08D7.tmp Object is locked skipped
C:\WINDOWS\Temp\CSC3714D33-6383-4DBF-AEE2-6ED9480BCBE4.tmp Object is locked skipped
C:\WINDOWS\Temp\CSC551A4AA-919A-4B8A-8D8E-C33A3E96F2AE.tmp Object is locked skipped
C:\WINDOWS\Temp\CSC58C15C8-2A5B-42B8-BC07-9864FE48EFC5.tmp Object is locked skipped
C:\WINDOWS\Temp\CSCABF3EFB-0800-4FB8-ABAD-B0402C956FC0.tmp Object is locked skipped
C:\WINDOWS\Temp\CSD13903CF-90D3-4C8A-8AA2-AB596E2CAFC4.tmp Object is locked skipped
C:\WINDOWS\Temp\CSD2665881-7AD1-4D81-91C5-629C29966006.tmp Object is locked skipped
C:\WINDOWS\Temp\CSD854E730-7B0C-45D4-83E3-514458A2E196.tmp Object is locked skipped
C:\WINDOWS\Temp\CSD9BFB446-9F18-49DB-8590-111BA7C32924.tmp Object is locked skipped
C:\WINDOWS\Temp\CSDA937376-BD32-4657-93A5-222702410EB3.tmp Object is locked skipped
C:\WINDOWS\Temp\CSDDC95E03-7D4D-4E5B-80A7-39C41B332EC1.tmp Object is locked skipped
C:\WINDOWS\Temp\CSDE193569-BA90-494B-9C77-ED54AE25B5C9.tmp Object is locked skipped
C:\WINDOWS\Temp\CSE1BFFD9E-AFCA-4CC6-AD81-4F4EFE4D46ED.tmp Object is locked skipped
C:\WINDOWS\Temp\CSE3337A49-1655-488F-B02A-7911F959EDB5.tmp Object is locked skipped
C:\WINDOWS\Temp\CSEA3E6D48-F590-422C-AE33-51C575523789.tmp Object is locked skipped
C:\WINDOWS\Temp\CSEA6BAD83-B652-4B25-95EE-1913CB24B613.tmp Object is locked skipped
C:\WINDOWS\Temp\CSEAAE3A22-052F-4505-B92B-CEBC865C8A2A.tmp Object is locked skipped
C:\WINDOWS\Temp\CSEAC66627-5347-4A0E-AEF6-CC3C4C36B609.tmp Object is locked skipped
C:\WINDOWS\Temp\CSEDC48BF2-2D3E-470F-AF69-833122A670DA.tmp Object is locked skipped
C:\WINDOWS\Temp\CSF0F938A0-34CA-46BB-BE5E-C9BFDE093546.tmp Object is locked skipped
C:\WINDOWS\Temp\CSF46C54D7-875C-49DC-B520-FBCE75960E2C.tmp Object is locked skipped
C:\WINDOWS\Temp\CSF5FE721B-F6E5-4776-9524-3282FDC08FEA.tmp Object is locked skipped
C:\WINDOWS\Temp\CSFA264E57-5E9E-42C4-82B0-BEE5C996FCAA.tmp Object is locked skipped
C:\WINDOWS\Temp\CSFC1BCD06-5E41-41F5-A2F9-9ACA928053A8.tmp Object is locked skipped
C:\WINDOWS\Temp\CSFC2EEB7F-6AE3-4CB6-818A-79A8D2534894.tmp Object is locked skipped
C:\WINDOWS\Temp\CSFDA27FD1-45A8-4DA3-B3CB-7AB4EE7DE93B.tmp Object is locked skipped
C:\WINDOWS\Temp\CSFEA41448-2C7E-4197-9DB6-ECBD2416C97F.tmp Object is locked skipped
C:\WINDOWS\Temp\CSFFF1793E-1328-4824-A46D-AAA302A8054A.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_614.dat Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Every time I deleted the cache, cookies, temporary internet files I have been logged in as SBAILEY.

I fixed the items in the hijackthis log and deleted the files you suggested.

Virustotal scan on ctfmon.exe:

Complete scanning result of "ctfmon.exe", received in VirusTotal at 04.02.2007, 19:43:35 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.3.0 04.02.2007 no virus found
AntiVir 7.3.1.48 04.02.2007 no virus found
Authentium 4.93.8 03.31.2007 no virus found
Avast 4.7.936.0 04.02.2007 no virus found
AVG 7.5.0.447 04.02.2007 no virus found
BitDefender 7.2 04.02.2007 no virus found
CAT-QuickHeal 9.00 04.02.2007 no virus found
ClamAV devel-20070312 04.02.2007 no virus found
DrWeb 4.33 04.02.2007 no virus found
eSafe 7.0.15.0 04.02.2007 no virus found
eTrust-Vet 30.6.3535 04.02.2007 no virus found
Ewido 4.0 04.02.2007 no virus found
FileAdvisor 1 04.02.2007 No threat detected
Fortinet 2.85.0.0 04.02.2007 no virus found
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 04.02.2007 no virus found
Ikarus T3.1.1.3 04.02.2007 no virus found
Kaspersky 4.0.2.24 04.02.2007 no virus found
McAfee 4998 04.02.2007 no virus found
Microsoft 1.2306 04.02.2007 no virus found
NOD32v2 2163 04.02.2007 no virus found
Norman 5.80.02 04.02.2007 no virus found
Panda 9.0.0.4 04.02.2007 no virus found
Prevx1 V2 04.02.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.31.2007 no virus found
Symantec 10 04.02.2007 no virus found
TheHacker 6.1.6.084 04.02.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 04.01.2007 no virus found
VirusBuster 4.3.7:9 04.02.2007 no virus found
Webwasher-Gateway 6.0.1 04.02.2007 no virus found

Aditional Information
File size: 15360 bytes
MD5: 24232996a38c0b0cf151c2140ae29fc8
SHA1: b36d03b56a30187ffc6257459d632a4faac48af2
Bit9 info: http://fileadvisor.bit9.com/services/extin...151c2140ae29fc8



Symantec is up to date.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:16 PM

Posted 02 April 2007 - 01:22 PM

Hi,

ctfmon.exe looks to be ok... was not patched.

The Kaspersky scan, was this before or after you deleted the files present in the Temp-folder? Because the Kaspersky online scans shows them still present.

Did you make sure your hidden files and folders were shown? Including the Hide protected operating system files? Because that's very important.

Also, open your Norton Antivirus, select the option quarantaine and delete anything present in there, because that's where your Kaspersky flags the infected files.
The rest of the log looks ok.

How are things now?

Edit, as a sidenote, I recommend you uninstall Morpheus, since this is an unwanted P2P program.
Look here for the ones that are infected, suspicious and clean: http://p2p.malwareremoval.com/
Then delete the C:\Program Files\Morpheus - folder after you uninstalled it (if still present)

Edited by miekiemoes, 02 April 2007 - 01:24 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 kerriwfc

kerriwfc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 02 April 2007 - 03:53 PM

I deleted the temp folder after I ran the Kaspersky scan. Yes, I did make sure the hidden files and folders were shown including the Hide protected operating system files. I deleted everything that was in the quarantine folder. Morpheus was not installed so I deleted the folders for it.

Things are good now. The symantec email proxy pop-ups are gone and Internet Explorer is showing the whole page now. I have ran the virus scan, spybot, and adaware again and nothing was found. Thanks for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users