Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse In C:\system32\insnfo.dll Can't Remove


  • This topic is locked This topic is locked
14 replies to this topic

#1 jmoore2

jmoore2

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 29 May 2007 - 12:27 PM

This computer is infected and it causes popups and plays music. When programs such as adaware and spybot sd are run they remove part of the trouble for a short period but it seems to reinstall. I have removed the computer from the internet until this problem is resolved. Here is the Hijack log.
Please help.
jmoore2.


Logfile of HijackThis v1.99.1
Scan saved at 12:37:14 PM, on 5/29/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\ojpa.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\vcat\Server\FFSERV32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {00e94e95-0031-4661-a4fa-286880c05b00} - C:\WINNT\system32\insnfo.dll
O2 - BHO: HPOVASMD.BrowserSensor - {04047354-D353-11D2-B3EB-0060B03C5581} - C:\WINNT\Downloaded Program Files\hpBrSn24.dll
O2 - BHO: MSDNS System - {27A7FB75-FB40-4f94-BCF6-4945BCC8BAAF} - C:\WINNT\tlhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\System32\tmp2.tmp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mstsc] C:\WINNT\ojpa.exe
O4 - Startup: GTVEpg.lnk = Got All Media\Components\GTVEpg.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Shortcut to FFSERV32.lnk = C:\vcat\Server\FFSERV32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .com/RightSite/getobject/Retailer Education and Training/Certification/Others/Summary of New Requirements by Job-Role: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: JVMDetect - http://www.leaseterm.dealercreditweb.com/d...s/jvmdetect.cab
O16 - DPF: websign - https://www.leaseterm.dealercreditweb.com/websign.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04047354-D353-11D2-B3EB-0060B03C5581} (HPOVASMD.BrowserSensor) - https://dealerconnect.chrysler.com/wto/plugin/hpBrSn.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.67.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O20 - AppInit_DLLs:
O20 - Winlogon Notify: insnfo - C:\WINNT\SYSTEM32\insnfo.dll
O21 - SSODL: msdns - {2B4B2E35-A6C8-46FF-814A-20727F176D3E} - C:\WINNT\msdns.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 29 May 2007 - 12:37 PM

Welcome jmoore2 :thumbsup:

Please give me a little time to get back to you with instructions.

Thanks
Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 29 May 2007 - 12:52 PM

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 4 for Windows 2000. Without this update, you're wide open to re-infection, and we're both just wasting our time.
  • Click HERE for the update.
  • Apply the update.
  • REBOOT YOUR SYSTEM
  • Post a fresh Hijack This log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#4 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 29 May 2007 - 02:39 PM

Jamielaw,
Here is the HJT log after update to SP 4 and reboot. Also, after the update the items in the sytem tray have disappeared.


Logfile of HijackThis v1.99.1
Scan saved at 3:23:01 PM, on 5/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\ojpa.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\vcat\Server\FFSERV32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {00e94e95-0031-4661-a4fa-286880c05b00} - C:\WINNT\system32\insnfo.dll
O2 - BHO: HPOVASMD.BrowserSensor - {04047354-D353-11D2-B3EB-0060B03C5581} - C:\WINNT\Downloaded Program Files\hpBrSn24.dll
O2 - BHO: MSDNS System - {27A7FB75-FB40-4f94-BCF6-4945BCC8BAAF} - C:\WINNT\tlhelper.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\tmp3.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mstsc] C:\WINNT\ojpa.exe
O4 - Startup: GTVEpg.lnk = Got All Media\Components\GTVEpg.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Shortcut to FFSERV32.lnk = C:\vcat\Server\FFSERV32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .com/RightSite/getobject/Retailer Education and Training/Certification/Others/Summary of New Requirements by Job-Role: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: JVMDetect - http://www.leaseterm.dealercreditweb.com/d...s/jvmdetect.cab
O16 - DPF: websign - https://www.leaseterm.dealercreditweb.com/websign.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04047354-D353-11D2-B3EB-0060B03C5581} (HPOVASMD.BrowserSensor) - https://dealerconnect.chrysler.com/wto/plugin/hpBrSn.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.67.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O20 - AppInit_DLLs:
O20 - Winlogon Notify: insnfo - C:\WINNT\SYSTEM32\insnfo.dll
O21 - SSODL: msdns - {2B4B2E35-A6C8-46FF-814A-20727F176D3E} - C:\WINNT\msdns.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#5 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 29 May 2007 - 02:57 PM

Hey jmoore2

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.

Downloader.Agent.awf:

Please download FindAWF.exe

Run the tool and post the contents of the report in your next reply.

VirusTotal:

1. Go to this website: www.virustotal.com
2. Upload this file by copy/pasting it in to the file box: C:\WINNT\ojpa.exe
3. Submit the file and copy/paste the results back into this thread.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
Please can you include the following logs in your next reply - they may need separate posts to stop them getting cut off:

FindAWF Log
VirusTotal Results
SDFix Report
A new Hijackthis log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#6 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 29 May 2007 - 04:12 PM

Jamielaw,
Here are the results. Also, the items are back in the system tray.
Looking forward to your reply,
jmoore2


Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

01/23/2007 02:56p 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/13/2004 03:30p 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/11/2002 07:06a 188,416 hpztsb06.exe
1 File(s) 188,416 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Jan 23 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
37828 May 8 2007 "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe"
188416 Jul 11 2002 "C:\WINNT\system32\spool\drivers\w32x86\3\bak\hpztsb06.exe"


end of report





STATUS: FINISHEDComplete scanning result of "ojpa.exe", received in VirusTotal at 05.29.2007, 22:10:53 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.29.2007 no virus found
AVG 7.5.0.467 05.29.2007 no virus found
BitDefender 7.2 05.29.2007 no virus found
CAT-QuickHeal 9.00 05.29.2007 no virus found
ClamAV devel-20070416 05.29.2007 no virus found
DrWeb 4.33 05.29.2007 no virus found
eSafe 7.0.15.0 05.29.2007 no virus found
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.29.2007 no virus found
Fortinet 2.85.0.0 05.29.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.29.2007 no virus found
Ikarus T3.1.1.8 05.29.2007 no virus found
Kaspersky 4.0.2.24 05.29.2007 no virus found
McAfee 5041 05.29.2007 no virus found
Microsoft 1.2503 05.29.2007 no virus found
NOD32v2 2296 05.29.2007 no virus found
Norman 5.80.02 05.29.2007 no virus found
Panda 9.0.0.4 05.28.2007 Suspicious file
Prevx1 V2 05.29.2007 Covert.Sys.Exec
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.29.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.29.2007 no virus found
Webwasher-Gateway 6.0.1 05.29.2007 no virus found


Aditional Information
File size: 17408 bytes
MD5: 459e037cf94d202888118ee17b9fbf35
SHA1: 7b5ed21f01a7795f2facaa43aab4203acccc7ede
Prevx info: http://fileinfo.prevx.com/fileinfo.asp


see next post for the SDfix report and a new HJT log.

#7 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 29 May 2007 - 04:15 PM

Here are the other reports.



SDFix: Version 1.85

Run by Administrator - Tue 05/29/2007 - 16:39:37.15

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp3.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp5.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7.tmp.exe - Deleted
C:\svchost.exe - Deleted
C:\WINNT\domain-access-time.txt - Deleted
C:\WINNT\msdns.dll - Deleted
C:\WINNT\search_res.txt - Deleted
C:\WINNT\system32\ipv6mons.dll - Deleted
C:\WINNT\tlhelper.dll - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINNT\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Administrator\NetHood\support.carbiz.com\Desktop.ini

Finished



Logfile of HijackThis v1.99.1
Scan saved at 4:59:26 PM, on 5/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\ojpa.exe
C:\WINNT\system32\cssrss.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\vcat\Server\FFSERV32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {00e94e95-0031-4661-a4fa-286880c05b00} - C:\WINNT\system32\insnfo.dll
O2 - BHO: HPOVASMD.BrowserSensor - {04047354-D353-11D2-B3EB-0060B03C5581} - C:\WINNT\Downloaded Program Files\hpBrSn24.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\tmp4.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mstsc] C:\WINNT\ojpa.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\ssromk.dll",realset
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINNT\system32\cssrss.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7.tmp.exe"
O4 - Startup: GTVEpg.lnk = Got All Media\Components\GTVEpg.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Shortcut to FFSERV32.lnk = C:\vcat\Server\FFSERV32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .com/RightSite/getobject/Retailer Education and Training/Certification/Others/Summary of New Requirements by Job-Role: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: JVMDetect - http://www.leaseterm.dealercreditweb.com/d...s/jvmdetect.cab
O16 - DPF: websign - https://www.leaseterm.dealercreditweb.com/websign.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04047354-D353-11D2-B3EB-0060B03C5581} (HPOVASMD.BrowserSensor) - https://dealerconnect.chrysler.com/wto/plugin/hpBrSn.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.67.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O20 - AppInit_DLLs:
O20 - Winlogon Notify: insnfo - C:\WINNT\SYSTEM32\insnfo.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 01 June 2007 - 06:43 AM

Hey jmoore2

Downloader.Agent.awf:

Please launch Notepad (Start > Run, type in: notepad)
Copy/paste all the text below to it:

if exist "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE" 
move "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared"


if exist "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe" 
move "C:\WINNT\system32\spool\drivers\w32x86\3\bak\hpztsb06.exe" "C:\WINNT\system32\spool\drivers\w32x86\3"

del 123.bat


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: "123.bat"
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on bakfile.bat


====
Also, please run the following:

1. DelDomains
http://www.mvps.org/winhelp2002/DelDomains.inf
To delete all entries in the Restricted & Trusted Zone list, right click DelDomains.inf
Select: Install

2. ResetProtocolDefaults
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg
Right click the link, save target as or save link as, and save to the Desktop.

Locate ResetProtocolDefaults.reg on the Desktop
Right-click and select: Merge
OK the prompt

Please can you then run the Downloader.Agent.awf tool again. Post the log back here.

Please could you also reinstall this program: Quicktime Player

Submit Files:

You have a file/s of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

1. Go this website: http://www.bleepingcomputer.com/submit-malware.php?channel=15
2. Copy/paste this into the 'Link to Topic' box: http://www.bleepingcomputer.com/forums/t/93971/trojan-horse-in-csystem32insnfodll-cant-remove/
3. Copy/paste this into the 'Browser for File' box: C:\SDFix\backups\backups.zip
4. Repeat this process for this file/s aswell:

C:\WINNT\ojpa.exe

5. Let me know if it was successful or not.

Kaspersky Online Scanner
Go to http://www.kaspersky.com/virusscanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with another HJT log and the Agent.AWF Log.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#9 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 02 June 2007 - 11:06 AM

Jamielaw,
I do not seem to have the file on the desktop that you referenced, "bakfile.bat," could you please explain or send me the necessary program.
Thanks,
Joe.

#10 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 02 June 2007 - 11:27 AM

My mistake:

Next, on the Desktop, double click on bakfile.bat


That should be:

Next, on the Desktop, double click on 123.bat


My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#11 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 02 June 2007 - 03:22 PM

Jamielaw,
Both the files went in properly. and the following is the results you asked for. This computer is becoming very slow, it seems to need rebooted. Should I do this?
Thanks,
Joe.



Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

01/23/2007 02:56p 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/13/2004 03:30p 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/11/2002 07:06a 188,416 hpztsb06.exe
1 File(s) 188,416 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Jan 23 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
188416 Jul 11 2002 "C:\WINNT\system32\spool\drivers\w32x86\3\bak\hpztsb06.exe"


end of report



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 02, 2007 3:56:06 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/06/2007
Kaspersky Anti-Virus database records: 336512
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 41441
Number of viruses found: 17
Number of infected objects: 68 / 0
Number of suspicious objects: 1
Duration of the scan process: 01:37:41

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\insnfo.dll Object is locked skipped
C:\WINNT\system32\tmp2.tmp.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINNT\system32\SBUtils\SBWebCtl.dll Infected: not-a-virus:AdWare.Win32.WindowEnhancer.c skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-06-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CH6RU7W5\nauj_20070510[1] Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6FQDEPK9\drf1179326826[1].htm Infected: Trojan-Downloader.Win32.ConHook.bf skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6FQDEPK9\drf1179326826[1].htm.exe Infected: Trojan-Downloader.Win32.ConHook.bf skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G4T42BLV\ffa_dn[1] Infected: Trojan.Win32.Agent.agv skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VUZO7ID\index[2].htm Infected: Trojan-Downloader.JS.Psyme.gy skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\P4TDV9X3\rellatsnitneilc22_05[1].php Infected: Trojan-Downloader.Win32.Agent.bjk skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1XJQN5GT\CASTEVS9 Infected: Trojan-Downloader.Win32.Agent.bjk skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GNB7Y451\drf1179319192[1].htm Infected: Trojan-Downloader.Win32.ConHook.bf skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GNB7Y451\drf1179319192[1].htm.exe Infected: Trojan-Downloader.Win32.ConHook.bf skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q9W78J4H\adv605[1].htm Infected: Trojan-Downloader.JS.Agent.ab skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B695B1B.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B6F2F14 Infected: Trojan-Downloader.Win32.Agent.bjk skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B6F2F14.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
C:\Program Files\Norton AntiVirus\Quarantine\31ED7A42.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\352D4CAD.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\6238691C.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\050128D4.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\777B76DB.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\0EA22361.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\53322DED.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\6A4C3281.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\016D0B0E.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\1FB80FB7.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\49CA756C.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B1726AE.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B1A50AA.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B1D7AA7.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\4078066D.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\304639C0.htm Infected: Exploit.HTML.IESlice.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\16C337D6.exe Infected: Trojan-Downloader.Win32.Tiny.eu skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EAF3A4B.dll Infected: Trojan-Downloader.Win32.ConHook.bf skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EB26448.dll Infected: Trojan.Win32.Agent.agv skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EB26448.vir Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EB26448.bad Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\69145439.vir Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\1942043B.htm/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\1942043B.htm ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1942043B.htm CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\19452E38.php Infected: Trojan-Downloader.Win32.Tiny.eu skipped
C:\Program Files\Norton AntiVirus\Quarantine\722E588D.php Infected: Trojan-Downloader.Win32.Tiny.eu skipped
C:\Program Files\Norton AntiVirus\Quarantine\43C6303A.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\Norton AntiVirus\Quarantine\28516595.sys Infected: Trojan-Downloader.Win32.Agent.bnz skipped
C:\Program Files\Norton AntiVirus\Quarantine\6FF8246C.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\Norton AntiVirus\Quarantine\7E0A0AF0.htm Infected: Trojan-Downloader.JS.Small.eo skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\vcat\BACKUP\RealVNC.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\vcat\BACKUP\RealVNC.exe Inno: infected - 1 skipped
C:\vcat\1.7UPDATE.100.EXE/WISE0020.BIN/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\vcat\1.7UPDATE.100.EXE/WISE0020.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\vcat\1.7UPDATE.100.EXE WiseSFX: infected - 2 skipped
C:\vcat_temp\BACKUP\RealVNC.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\vcat_temp\BACKUP\RealVNC.exe Inno: infected - 1 skipped
C:\vcat_temp\1.7UPDATE.100.EXE/WISE0020.BIN/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\vcat_temp\1.7UPDATE.100.EXE/WISE0020.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\vcat_temp\1.7UPDATE.100.EXE WiseSFX: infected - 2 skipped
C:\Copy of vcat\1.7UPDATE.100.EXE/WISE0020.BIN/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Copy of vcat\1.7UPDATE.100.EXE/WISE0020.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Copy of vcat\1.7UPDATE.100.EXE WiseSFX: infected - 2 skipped
C:\Copy of vcat\BACKUP\RealVNC.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Copy of vcat\BACKUP\RealVNC.exe Inno: infected - 1 skipped
C:\!KillBox\vttrrq.dll Infected: Packed.Win32.Klone.k skipped
C:\SDFix\backups\backups.zip/backups/tmp2.tmp.exe Infected: Trojan.Win32.BHO.g skipped
C:\SDFix\backups\backups.zip/backups/tmp5.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
C:\SDFix\backups\backups.zip/backups/tmp6.tmp.exe Infected: Trojan.Win32.Agent.agv skipped
C:\SDFix\backups\backups.zip/backups/msdns.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\SDFix\backups\backups.zip/backups/ipv6mons.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\SDFix\backups\backups.zip/backups/tlhelper.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\SDFix\backups\backups.zip ZIP: infected - 5, suspicious - 1 skipped

Scan process completed.



HJT log to follow in next post.

#12 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 02 June 2007 - 03:25 PM

Jamielaw,
Here is the HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 4:04:10 PM, on 6/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\ojpa.exe
C:\WINNT\system32\cssrss.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\vcat\Server\FFSERV32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\PROGRA~1\NORTON~1\IWP\Aleupdat.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {00e94e95-0031-4661-a4fa-286880c05b00} - C:\WINNT\system32\insnfo.dll
O2 - BHO: HPOVASMD.BrowserSensor - {04047354-D353-11D2-B3EB-0060B03C5581} - C:\WINNT\Downloaded Program Files\hpBrSn24.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\tmp4.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mstsc] C:\WINNT\ojpa.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\ssromk.dll",realset
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINNT\system32\cssrss.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7.tmp.exe"
O4 - Startup: GTVEpg.lnk = Got All Media\Components\GTVEpg.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Shortcut to FFSERV32.lnk = C:\vcat\Server\FFSERV32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .com/RightSite/getobject/Retailer Education and Training/Certification/Others/Summary of New Requirements by Job-Role: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: JVMDetect - http://www.leaseterm.dealercreditweb.com/d...s/jvmdetect.cab
O16 - DPF: websign - https://www.leaseterm.dealercreditweb.com/websign.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {04047354-D353-11D2-B3EB-0060B03C5581} (HPOVASMD.BrowserSensor) - https://dealerconnect.chrysler.com/wto/plugin/hpBrSn.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.67.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F341C3F-77F6-401E-BA8C-AF27AB8CC8B4}: NameServer = 204.116.57.2,66.168.240.35
O20 - AppInit_DLLs:
O20 - Winlogon Notify: insnfo - C:\WINNT\SYSTEM32\insnfo.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#13 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 04 June 2007 - 01:02 PM

Hey jmoore2

Make sure you reboot your computer before doing this.

ComboFix:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running! That may cause it to stall.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#14 jmoore2

jmoore2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 07 June 2007 - 01:02 PM

Hey jamielaw,
Here is the resulting combofix report.
Thanks,
Joe.


"Administrator" - 06/07/2007 13:33:39 Service Pack 4
ComboFix 07-06-06 - Running from: ""


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\ssromk.dll
C:\WINNT\kmorss.ini
C:\WINNT\system32\insnfo.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\opera6.ini
C:\WINNT\system32\cssrss.exe
C:\WINNT\system32\nso12k.sys
C:\WINNT\system32\tmp2.tmp.dll
C:\WINNT\system32\tmp3.tmp.dll
C:\WINNT\system32\tmp4.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DRIVER
-------\Driver


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-07 13:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-02 13:52 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-06-02 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-05-29 14:24 <DIR> d-------- C:\WINNT\system32\ie_de
2007-05-29 14:16 92,432 --a------ C:\WINNT\system32\xactsrv.dll
2007-05-29 14:16 8,464 --a------ C:\WINNT\system32\wshirda.dll
2007-05-29 14:16 74,512 --a------ C:\WINNT\system32\wmicore.dll
2007-05-29 14:16 69,904 --a------ C:\WINNT\system32\ws2_32.dll
2007-05-29 14:16 57,616 --a------ C:\WINNT\system32\wlnotify.dll
2007-05-29 14:16 4,368 --a------ C:\WINNT\system32\winver.exe
2007-05-29 14:16 39,696 --a------ C:\WINNT\system32\wsnmp32.dll
2007-05-29 14:16 39,184 --a------ C:\WINNT\system32\winsta.dll
2007-05-29 14:16 29,968 --a------ C:\WINNT\system32\wpnpinst.exe
2007-05-29 14:16 28,400 --a------ C:\WINNT\system32\wupdinfo.dll
2007-05-29 14:16 240,912 --a------ C:\WINNT\system32\wow32.dll
2007-05-29 14:16 21,776 --a------ C:\WINNT\system32\wsock32.dll
2007-05-29 14:16 17,680 --a------ C:\WINNT\system32\wshtcpip.dll
2007-05-29 14:16 166,160 --a------ C:\WINNT\system32\WINTRUST.DLL
2007-05-29 14:16 162,064 --a------ C:\WINNT\system32\WLDAP32.DLL
2007-05-29 14:16 10,000 --a------ C:\WINNT\system32\wshatm.dll
2007-05-29 14:15 79,120 --a------ C:\WINNT\system32\winscard.dll
2007-05-29 14:15 59,152 --a------ C:\WINNT\system32\winfax.dll
2007-05-29 14:15 42,768 --a------ C:\WINNT\system32\webhits.dll
2007-05-29 14:15 270,608 --a------ C:\WINNT\winhlp32.exe
2007-05-29 14:15 239,376 --a------ C:\WINNT\system32\winsmon.dll
2007-05-29 14:15 193,296 --a------ C:\WINNT\winrep.exe
2007-05-29 14:15 181,008 --a------ C:\WINNT\system32\WINLOGON.EXE
2007-05-29 14:15 155,920 --a------ C:\WINNT\system32\wavemsp.dll
2007-05-29 14:14 977,680 --a------ C:\WINNT\system32\vfpodbc.dll
2007-05-29 14:14 83,888 --a------ C:\WINNT\system32\vga.dll
2007-05-29 14:14 57,104 --a------ C:\WINNT\system32\w32tm.exe
2007-05-29 14:14 51,472 --a------ C:\WINNT\system32\w32time.dll
2007-05-29 14:14 49,776 --------- C:\WINNT\system32\drivers\usbhub20.sys
2007-05-29 14:14 403,216 --a------ C:\WINNT\system32\USER32.DLL
2007-05-29 14:14 389,904 --a------ C:\WINNT\system32\USERENV.DLL
2007-05-29 14:14 315,664 --a------ C:\WINNT\system32\usp10.dll
2007-05-29 14:14 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2007-05-29 14:14 26,384 --a------ C:\WINNT\system32\utildll.dll
2007-05-29 14:14 24,848 --a------ C:\WINNT\system32\spdwnw2k.exe
2007-05-29 14:14 22,800 --a------ C:\WINNT\system32\utilman.exe
2007-05-29 14:14 21,776 --------- C:\WINNT\system32\spupdw2k.exe
2007-05-29 14:14 19,728 --------- C:\WINNT\system32\drivers\usbehci.sys
2007-05-29 14:14 16,144 --a------ C:\WINNT\system32\version.dll
2007-05-29 14:14 15,872 --------- C:\WINNT\system32\spupdsvc.exe
2007-05-29 14:14 138,288 --------- C:\WINNT\system32\drivers\usbport.sys
2007-05-29 14:14 11,536 --a------ C:\WINNT\system32\usbmon.dll
2007-05-29 14:13 90,384 --a------ C:\WINNT\system32\trkwks.dll
2007-05-29 14:13 87,312 --a------ C:\WINNT\system32\TASKMGR.EXE
2007-05-29 14:13 81,168 --a------ C:\WINNT\system32\stobject.dll
2007-05-29 14:13 80,144 --a------ C:\WINNT\system32\telnet.exe
2007-05-29 14:13 7,440 --a------ C:\WINNT\system32\svcpack.dll
2007-05-29 14:13 68,368 --a------ C:\WINNT\system32\unimdmat.dll
2007-05-29 14:13 62,736 --a------ C:\WINNT\system32\sstext3d.scr
2007-05-29 14:13 61,712 --a------ C:\WINNT\system32\stisvc.exe
2007-05-29 14:13 55,056 --a------ C:\WINNT\system32\tlntsess.exe
2007-05-29 14:13 47,888 --a------ C:\WINNT\system32\ssbezier.scr
2007-05-29 14:13 419,600 --a------ C:\WINNT\system32\ssmaze.scr
2007-05-29 14:13 41,744 --a------ C:\WINNT\system32\tcpmon.dll
2007-05-29 14:13 41,744 --a------ C:\WINNT\system32\sti.dll
2007-05-29 14:13 41,744 --a------ C:\WINNT\system32\ssflwbox.scr
2007-05-29 14:13 397,584 --a------ C:\WINNT\system32\txfaux.dll
2007-05-29 14:13 38,672 --a------ C:\WINNT\system32\ssmarque.scr
2007-05-29 14:13 375,568 --a------ C:\WINNT\system32\tapi3.dll
2007-05-29 14:13 36,624 --a------ C:\WINNT\system32\ssmyst.scr
2007-05-29 14:13 35,600 --a------ C:\WINNT\system32\storprop.dll
2007-05-29 14:13 33,040 --a------ C:\WINNT\system32\ssstars.scr
2007-05-29 14:13 31,504 --a------ C:\WINNT\system32\traffic.dll
2007-05-29 14:13 27,920 --a------ C:\WINNT\system32\umandlg.dll
2007-05-29 14:13 246,544 --a------ C:\WINNT\system32\strmdll.dll
2007-05-29 14:13 24,848 --a------ C:\WINNT\system32\sqlwid.dll
2007-05-29 14:13 214,288 --a------ C:\WINNT\system32\snmpsnap.dll
2007-05-29 14:13 21,264 --a------ C:\WINNT\system32\stimon.exe
2007-05-29 14:13 187,664 --a------ C:\WINNT\system32\thumbvw.dll
2007-05-29 14:13 187,024 --a------ C:\WINNT\system32\spcmdcon.sys
2007-05-29 14:13 186,128 --a------ C:\WINNT\system32\tlntsvr.exe
2007-05-29 14:13 173,328 --a------ C:\WINNT\system32\tapisrv.dll
2007-05-29 14:13 17,680 --a------ C:\WINNT\system32\tftp.exe
2007-05-29 14:13 17,680 --a------ C:\WINNT\system32\SNMPAPI.DLL
2007-05-29 14:13 14,608 --a------ C:\WINNT\system32\uniplat.dll
2007-05-29 14:13 138,000 --a------ C:\WINNT\system32\ss3dfo.scr
2007-05-29 14:13 13,072 --a------ C:\WINNT\system32\tcpmib.dll
2007-05-29 14:13 126,736 --a------ C:\WINNT\system32\TAPI32.DLL
2007-05-29 14:13 102,160 --a------ C:\WINNT\system32\sspipes.scr
2007-05-29 14:12 971,024 --a------ C:\WINNT\system32\sfcfiles.dll
2007-05-29 14:12 97,040 --a------ C:\WINNT\system32\rtm.dll
2007-05-29 14:12 95,024 --a------ C:\WINNT\system32\sfc.dll
2007-05-29 14:12 85,776 --a------ C:\WINNT\system32\smlogsvc.exe
2007-05-29 14:12 77,584 --a------ C:\WINNT\system32\scripto.dll
2007-05-29 14:12 77,072 --a------ C:\WINNT\system32\rsvpsp.dll
2007-05-29 14:12 7,440 --a------ C:\WINNT\system32\sensapi.dll
2007-05-29 14:12 69,392 --a------ C:\WINNT\system32\shim.dll
2007-05-29 14:12 65,601 --a------ C:\WINNT\system32\servdeps.dll
2007-05-29 14:12 6,928 --a------ C:\WINNT\system32\skdll.dll
2007-05-29 14:12 48,912 --a------ C:\WINNT\system32\secur32.dll
2007-05-29 14:12 48,200 --------- C:\WINNT\system32\scrdx86.dll
2007-05-29 14:12 48,200 --------- C:\WINNT\system32\scrdenrl.dll
2007-05-29 14:12 454,416 --a------ C:\WINNT\system32\rpcrt4.dll
2007-05-29 14:12 45,840 --a------ C:\WINNT\system32\skeys.exe
2007-05-29 14:12 44,816 --a------ C:\WINNT\system32\rsm.exe
2007-05-29 14:12 38,160 --a------ C:\WINNT\system32\sens.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-08 23:22:46 10,344 ----a-w C:\WINNT\system32\drivers\symlcbrd.sys
2007-05-02 18:17:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-02 18:16:12 -------- d-----w C:\Program Files\Lavasoft
2007-05-02 18:15:04 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-28 23:41:32 517,848 ----a-w C:\WINNT\system32\SymNeti.dll
2007-03-28 23:41:28 132,824 ----a-w C:\WINNT\system32\SymRedir.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{04047354-D353-11D2-B3EB-0060B03C5581}=C:\WINNT\Downloaded Program Files\hpBrSn24.dll [04-08-13 09:41 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [05-05-31 01:04 ]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [05-05-17 20:14 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"Promon.exe"="Promon.exe" [01-03-13 11:49 C:\WINNT\system32\PROMON.EXE]
"Smapp"="Smtray.exe" [01-04-13 11:26 C:\WINNT\system32\SMTray.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07-01-09 17:32 ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 17:59 ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [07-05-08 18:36 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-02-16 10:54 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN


Contents of the 'Scheduled Tasks' folder
2007-05-12 14:01:20 C:\WINNT\tasks\Norton AntiVirus - Scan my computer - Administrator.job
2007-06-07 18:18:30 C:\WINNT\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 13:42:07
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Files hidden from API:
C:\WINNT\=
C:\WINNT\'
C:\WINNT\?

Completion time: 2007-06-07 13:44:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-07 13:43
C:\ComboFix3.txt ... 07-05-08 10:28
C:\ComboFix2.txt ... 07-05-08 17:22

--- E O F ---

#15 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 14 June 2007 - 03:09 AM

*Edit*

From the PMs I presume you don't have this computer in your posession again. So I'll close this topic.

Edited by jamielaw, 15 June 2007 - 08:00 AM.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users