Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable To Remove Trojan In Ntiot10.dll


  • This topic is locked This topic is locked
8 replies to this topic

#1 jmoore2

jmoore2

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 07 May 2007 - 01:25 PM

Hello.
I have a Windows 2000 system and Norton warns of a trojan in C:\WINNT\system32\ntiot10.dll along with popups and audio advertising. Norton is unable to repair and I have run Ad-aware but it will now not connect to the internet to download spybot sd. I have ran a hijack log and used removable media to send it on another computer. I am unable to delete the infected files and you will notice the O2 BHO entry it will not delete. If you could give me some advice I would certainly appreciate it. The HijackThis log is attached below. Thanks in advance. Joe.

C:\WINNT\System32\Promon.exe
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\vcat\Server\FFSERV32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: (no name) - {00e94e95-0031-4661-a4fa-286880c05b00} - C:\WINNT\system32\ntiot10.dll
O2 - BHO: HPOVASMD.BrowserSensor - {04047354-D353-11D2-B3EB-0060B03C5581} - C:\WINNT\Downloaded Program Files\hpBrSn24.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINNT\System32\tmp36.tmp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINNT\System32\lsasss.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINNT\vttrrq.dll",realset
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [xrunwin] C:\WINNT\svchost.exe
O4 - Startup: GTVEpg.lnk = Got All Media\Components\GTVEpg.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Shortcut to FFSERV32.lnk = C:\vcat\Server\FFSERV32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O12 - Plugin for .com/RightSite/getobject/Retailer Education and Training/Certification/Others/Summary of New Requirements by Job-Role: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: JVMDetect - http://www.leaseterm.dealercreditweb.com/d...s/jvmdetect.cab
O16 - DPF: websign - https://www.leaseterm.dealercreditweb.com/websign.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04047354-D353-11D2-B3EB-0060B03C5581} (HPOVASMD.BrowserSensor) - https://dealerconnect.chrysler.com/wto/plugin/hpBrSn.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.67.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ddslive.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ntiot10 - C:\WINNT\SYSTEM32\ntiot10.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 07 May 2007 - 02:20 PM

Hey jmoore2

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.

Vundo Fix:
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entries below into the box:
    C:\WINNT\system32\ntiot10.dll
    C:\WINNT\System32\tmp36.tmp.dll
    C:\WINNT\vttrrq.dll
  • Click Add Files and Click Close Window
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Fix the HJT entries:
  • Open hijackthis and select the DO A SYSTEM SCAN ONLY option.
  • Place a check next to the following items:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
    O2 - BHO: (no name) - {00e94e95-0031-4661-a4fa-286880c05b00} - C:\WINNT\system32\ntiot10.dll
    O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINNT\System32\tmp36.tmp.dll
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINNT\System32\lsasss.exe
    O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINNT\vttrrq.dll",realset
    O4 - HKCU\..\Run: [xrunwin] C:\WINNT\svchost.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: ntiot10 - C:\WINNT\SYSTEM32\ntiot10.dll
  • Close all open browsers and windows, except hijackthis. Then select fix checked . Now close HJT.
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\ntiot10.dll
    C:\WINNT\System32\tmp36.tmp.dll
    C:\WINNT\System32\lsasss.exe
    C:\WINNT\vttrrq.dll
    C:\WINNT\svchost.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

ComboFix:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running! That may cause it to stall.


Please can you include the following logs in your next reply - they may need separate posts to stop them getting cut off:

VundoFix Log
ComboFix Log
A new Hijackthis log


How is your computer running now? Is your internet access back to normal?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 08 May 2007 - 07:13 AM

Hey Jamielaw,
Thanks for getting back with me so fast, but there seems to be a problem with the link to combofix.exe file. The link goes to a bad URL (404) error. I did not want to proceed until I can fully follow the instructions. Thanks again.
Joe.

#4 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 08 May 2007 - 11:15 AM

Hey jmoore2

This is the correct link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

My apologies. Thanks alot for not proceeding aswell :thumbsup:
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#5 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 08 May 2007 - 11:30 AM

Thanks JamieLaw,
I have ran the recommended programs and the internet acces is back up. Great!! I also installed and ran Spybot SD and ran a system scan with Norton. There seems to still be some pop-ups trying to come through.
There was an error writing the log for Vundo so I cannot send it but here is the new hjt log and the ComboFix log.
Thanks again for your help. Joe.

"administrator" - 05/08/2007 10:26:25 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\DOWNLO~1.\TriJinx.1.0.0.67


((((((((((((((((((((((((((((((( Files Created from 05/0-01-07 to 05/08/2007 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))




(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{00e94e95-0031-4661-a4fa-286880c05b00}"="C:\WINNT\system32\ntiot10.dll" [x]
"{04047354-D353-11D2-B3EB-0060B03C5581}"="C:\WINNT\Downloaded Program Files\hpBrSn24.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{BDF3E430-B101-42AD-A544-FADC6B084872}"="C:\Program Files\Norton AntiVirus\NavShExt.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"tourpath"="regedit /s c:\\winnt\\tour.reg"
"Synchronization Manager"="mobsync.exe /logon"
"Promon.exe"="Promon.exe"
"Smapp"="Smtray.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ntiot10

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss RpcSs\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Norton AntiVirus - Scan my computer - Administrator.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 10:27:53
Windows 5.0.2195 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 05/08/2007 10:28:05
C:\ComboFix-quarantined-files.txt ... 05/08/07 10:28a


HJT log to follow on another post.

#6 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 08 May 2007 - 11:33 AM

Here is the HJT log. I am still getting some pop-ups but I have not ran Ad-aware again.
Thanks, Joe.


Logfile of HijackThis v1.99.1
Scan saved at 12:09:57 PM, on 5/8/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\vcat\Server\FFSERV32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\RunDll32.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00e94e95-0031-4661-a4fa-286880c05b00} - C:\WINNT\System32\insnfo.dll
O2 - BHO: HPOVASMD.BrowserSensor - {04047354-D353-11D2-B3EB-0060B03C5581} - C:\WINNT\Downloaded Program Files\hpBrSn24.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Startup: GTVEpg.lnk = Got All Media\Components\GTVEpg.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Shortcut to FFSERV32.lnk = C:\vcat\Server\FFSERV32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O12 - Plugin for .com/RightSite/getobject/Retailer Education and Training/Certification/Others/Summary of New Requirements by Job-Role: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: JVMDetect - http://www.leaseterm.dealercreditweb.com/d...s/jvmdetect.cab
O16 - DPF: websign - https://www.leaseterm.dealercreditweb.com/websign.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04047354-D353-11D2-B3EB-0060B03C5581} (HPOVASMD.BrowserSensor) - https://dealerconnect.chrysler.com/wto/plugin/hpBrSn.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.67.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ddslive.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O20 - Winlogon Notify: insnfo - C:\WINNT\SYSTEM32\insnfo.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#7 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 08 May 2007 - 06:36 PM

Hey jmoore2

The ComboFix log hasn't produced the desired results. Please could you re-run it and post the new log.

There was an error writing the log for Vundo so I cannot send it



Please could you be more specific - any error messages etc?

I also installed and ran Spybot SD



Following my initial instructions:

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.


Please refrain from installing any programs or any scans unless asked to do so - cheers :thumbsup:

But since you ran scans with Norton and Spybot S&D - did you get a logfile - any infections found?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#8 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 13 May 2007 - 05:36 AM

Are you still monitoring this thread?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#9 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 14 May 2007 - 03:51 PM

At the request of the user, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users