Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde / Vundo Infection / Winfixer Popus


  • This topic is locked This topic is locked
13 replies to this topic

#1 tobias.armstrong

tobias.armstrong

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 12 July 2007 - 11:37 PM

Hi! I am DEEPLY infected with what appears to be Virtumonde and Vundo trojans. They seem to download other little monsters as well if left unchecked for long enough which I am constantly removing. I followed the instructions in the guide before posting - NOTHING I do can get rid of the infections. I ran the specialized Symantec tools for both Virtumonde and Vundo - neither found any infection, but it keeps turning up in all of the other virus/spyware checkers. I tried the manual removal instructions (deleting registry keys) that I found on Symantec as well, but I can't find any of the registry entries it is talking about...

HELP!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:00 AM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Maxtor\Utils\SyncServices.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Softwin\BitDefender10\vsserv.exe
F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Softwin\BitDefender10\bdmcon.exe
F:\Program Files\Softwin\BitDefender10\bdagent.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
F:\Program Files\Skype\Phone\Skype.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Linksys\CIT200\cit200.exe
F:\Program Files\Skype\Plugin Manager\skypePM.exe
F:\WINDOWS\System32\svchost.exe
f:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [CTSysVol] F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "F:\WINDOWS\system32\kexkrnld.dll",forkonce
O4 - HKLM\..\Run: [BDMCon] "F:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [APVXDWIN] "F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CIT200.lnk = F:\Program Files\Linksys\CIT200\cit200.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182885291203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182992119421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - F:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Panda Software Controller - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 10255 bytes

BC AdBot (Login to Remove)

 


#2 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:07:25 PM

Posted 13 July 2007 - 12:25 AM

Hello tobias.armstrong,

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Posted Image

#3 tobias.armstrong

tobias.armstrong
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 13 July 2007 - 12:17 PM

THANK YOU! Downloading now - will run as you described and repost. Thank you again!!!!

#4 tobias.armstrong

tobias.armstrong
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 13 July 2007 - 12:41 PM

Hi - ran combo fix as you directed. Also ran hijack this again and have posted log under the combofix log...

Thank you again for your help!!!


******** Combofix Log *******************


"Tobi and Omar" - 2007-07-13 13:22:02 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


F:\WINDOWS\system32\wybeg.bak1
F:\WINDOWS\system32\wybeg.bak2
F:\WINDOWS\system32\wybeg.ini
F:\WINDOWS\system32\wybeg.ini2
F:\WINDOWS\system32\wybeg.tmp
F:\WINDOWS\system32\wybeg.bak1
F:\WINDOWS\system32\wybeg.bak2
F:\WINDOWS\system32\wybeg.ini
F:\WINDOWS\system32\wybeg.ini2
F:\WINDOWS\system32\wybeg.tmp
F:\WINDOWS\system32\wybeg.bak1
F:\WINDOWS\system32\wybeg.bak2
F:\WINDOWS\system32\wybeg.ini
F:\WINDOWS\system32\wybeg.ini2
F:\WINDOWS\system32\wybeg.tmp
F:\WINDOWS\system32\gebyw.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


2007-07-13 13:21 51,200 --a------ F:\WINDOWS\nircmd.exe
2007-07-13 13:15 66,624 --a------ F:\WINDOWS\system32\ogkjpfne.dll
2007-07-13 00:23 <DIR> d-------- F:\Program Files\Trend Micro
2007-07-12 22:36 66,624 --a------ F:\WINDOWS\system32\iwoamwvr.dll
2007-07-12 20:50 66,624 --a------ F:\WINDOWS\system32\mljwiybq.dll
2007-07-12 20:37 71,680 --------- F:\WINDOWS\system32\drivers\PAVDRV51.SYS
2007-07-12 20:37 45,056 --a------ F:\WINDOWS\system32\avldr.dll
2007-07-12 20:37 248 --a------ F:\WINDOWS\system32\PavCPL.dat
2007-07-12 20:37 <DIR> d-------- F:\WINDOWS\system32\PAV
2007-07-12 20:30 66,624 --a------ F:\WINDOWS\system32\soowvtvb.dll
2007-07-12 20:12 <DIR> d-------- F:\WINDOWS\system32\appmgmt
2007-07-12 20:03 66,624 --a------ F:\WINDOWS\system32\kslaugjv.dll
2007-07-12 09:15 66,624 --a------ F:\WINDOWS\system32\naegjqvn.dll
2007-07-12 08:57 66,624 --a------ F:\WINDOWS\system32\vwtklnfh.dll
2007-07-12 08:45 221,184 --a------ F:\WINDOWS\system32\wmpns.dll
2007-07-12 08:35 66,624 --a------ F:\WINDOWS\system32\kjtuupxu.dll
2007-07-12 00:30 <DIR> d-------- F:\Program Files\Common Files\Panda Software
2007-07-12 00:29 33,340 --a------ F:\WINDOWS\system32\dbmsqlgc.dll
2007-07-12 00:29 24,576 --a------ F:\WINDOWS\system32\dbmsgnet.dll
2007-07-12 00:27 <DIR> d-------- F:\Program Files\Panda Software
2007-07-12 00:27 <DIR> d-------- F:\Program Files\Microsoft SQL Server
2007-07-12 00:09 81,984 --a------ F:\WINDOWS\system32\bdod.bin
2007-07-12 00:04 <DIR> d-------- F:\DOCUME~1\TOBIAN~1\APPLIC~1\Bitdefender
2007-07-12 00:04 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-07-08 16:34 <DIR> d-------- F:\Program Files\jv16 PowerTools
2007-07-08 16:20 <DIR> d-------- F:\Program Files\Orb Networks
2007-07-08 00:28 <DIR> d-------- F:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-07 15:26 28,672 --a------ F:\WINDOWS\system32\drivers\CO_Mon.sys
2007-07-07 15:19 <DIR> d--hs---- F:\WINDOWS\CSC
2007-07-07 15:11 786,432 --ah----- F:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-07 14:28 <DIR> d-------- F:\DOCUME~1\TOBIAN~1\APPLIC~1\Symantec
2007-07-07 13:22 22,112 -ra------ F:\WINDOWS\system32\drivers\COH_Mon.sys
2007-07-07 13:00 <DIR> d-------- F:\WINDOWS\system32\LogFiles
2007-07-07 12:43 <DIR> d-------- F:\DOCUME~1\TOBIAN~1\APPLIC~1\Ahead
2007-07-07 12:18 48,776 --a------ F:\WINDOWS\system32\S32EVNT1.DLL
2007-07-07 12:18 115,000 --a------ F:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-07 12:18 <DIR> d-------- F:\Program Files\Symantec
2007-07-07 12:18 <DIR> d-------- F:\Program Files\Norton 360
2007-07-07 12:05 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-07-06 22:24 <DIR> d-------- F:\Program Files\Enigma Software Group
2007-07-06 21:11 9,216 --a------ F:\WINDOWS\system32\drivers\nmwcdc.sys
2007-07-06 21:11 50,688 --a------ F:\WINDOWS\system32\nmwcdcls.dll
2007-07-06 21:11 4,608 --a------ F:\WINDOWS\system32\nmwcdlog.dll
2007-07-06 21:11 30,720 --a------ F:\WINDOWS\system32\nmwcdcocls.dll
2007-07-06 21:11 138,240 --a------ F:\WINDOWS\system32\drivers\nmwcd.sys
2007-07-06 21:11 <DIR> d-------- F:\Program Files\Nokia
2007-07-05 13:09 <DIR> d-------- F:\Program Files\Common Files\Symantec Shared
2007-07-05 13:09 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-01 23:16 5,632 --a------ F:\WINDOWS\system32\ptpusb.dll
2007-07-01 23:16 159,232 --a------ F:\WINDOWS\system32\ptpusd.dll
2007-07-01 23:16 15,104 --a------ F:\WINDOWS\system32\drivers\usbscan.sys
2007-06-30 21:08 <DIR> d-------- F:\Program Files\MSXML 4.0
2007-06-30 20:45 87,808 --a------ F:\WINDOWS\system32\cpwmon2k.dll
2007-06-30 20:45 <DIR> d-------- F:\Program Files\GPLGS
2007-06-30 20:45 <DIR> d-------- F:\Program Files\Acro Software
2007-06-29 19:12 25,984 --a------ F:\WINDOWS\system32\drivers\usbaapl.sys
2007-06-29 19:12 <DIR> d----c--- F:\WINDOWS\system32\DRVSTORE
2007-06-29 19:12 <DIR> d-------- F:\Program Files\iPod
2007-06-29 19:11 <DIR> d-------- F:\Program Files\Common Files\Apple
2007-06-29 19:11 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-28 22:56 <DIR> d-------- F:\DOCUME~1\TOBIAN~1\APPLIC~1\GTek
2007-06-28 22:56 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek
2007-06-28 10:26 271,224 --a------ F:\WINDOWS\system32\mucltui.dll
2007-06-27 23:37 256 --a------ F:\WINDOWS\system32\pool.bin
2007-06-27 23:35 26,496 -ra------ F:\WINDOWS\system32\drivers\RimSerial.sys
2007-06-27 23:35 <DIR> d-------- F:\WINDOWS\RegisteredPackages
2007-06-27 22:07 <DIR> d-a------ F:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-27 22:07 <DIR> d-------- F:\Program Files\Verizon Online
2007-06-27 21:02 <DIR> d-------- F:\WINDOWS\system32\recngrvl
2007-06-27 20:54 <DIR> d-------- F:\DOCUME~1\TOBIAN~1\APPLIC~1\Leadertech
2007-06-27 20:52 24,816 --a------ F:\WINDOWS\system32\mdimon.dll
2007-06-27 20:51 <DIR> d-------- F:\WINDOWS\SHELLNEW
2007-06-27 20:51 <DIR> d-------- F:\Program Files\Microsoft Works
2007-06-27 20:51 <DIR> d-------- F:\Program Files\Microsoft ActiveSync
2007-06-27 20:51 <DIR> d-------- F:\Program Files\Common Files\L&H
2007-06-27 20:50 <DIR> d-------- F:\Program Files\Microsoft.NET
2007-06-26 17:54 <DIR> d-------- F:\WINDOWS\network diagnostic
2007-06-26 17:38 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Maxtor
2007-06-26 17:14 <DIR> d-------- F:\Program Files\Maxtor
2007-06-26 16:52 <DIR> d-------- F:\WINDOWS\system32\NtmsData
2007-06-26 16:20 <DIR> d-------- F:\Program Files\Linksys
2007-06-26 16:19 <DIR> d-------- F:\WINDOWS\Downloaded Installations
2007-06-26 15:29 <DIR> d-------- F:\Program Files\Lavasoft
2007-06-26 15:29 <DIR> d-------- F:\Program Files\Common Files\Wise Installation Wizard
2007-06-26 15:29 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-26 15:15 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-26 15:10 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-26 14:46 22,752 --a------ F:\WINDOWS\system32\spupdsvc.exe
2007-06-26 14:46 <DIR> d--h----- F:\WINDOWS\$hf_mig$
2007-06-26 14:46 <DIR> d-------- F:\WINDOWS\system32\PreInstall
2007-06-26 14:44 43,352 --a------ F:\WINDOWS\system32\wups2.dll
2007-06-26 14:44 <DIR> d--hs---- F:\DOCUME~1\TOBIAN~1\UserData
2007-06-26 14:44 <DIR> d-------- F:\WINDOWS\system32\SoftwareDistribution
2007-06-26 14:19 <DIR> d-------- F:\Program Files\QuickTime
2007-06-26 14:19 <DIR> d-------- F:\Program Files\iTunes
2007-06-26 14:19 <DIR> d-------- F:\Program Files\Apple Software Update
2007-06-26 14:19 <DIR> d-------- F:\DOCUME~1\TOBIAN~1\APPLIC~1\Apple Computer
2007-06-26 14:19 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-26 13:54 0 --a------ F:\WINDOWS\nsreg.dat
2007-06-26 13:13 1,303 --a------ F:\WINDOWS\mozver.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 16:19:47 806 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-07 16:19:47 8,014 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-06-04 22:18:48 9,344 ----a-w F:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w F:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w F:\WINDOWS\system32\drivers\AWRTPD.sys
2007-04-25 14:21:15 144,896 ----a-w F:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w F:\WINDOWS\system32\msi.dll
2007-04-17 05:45:28 92,504 ----a-w F:\WINDOWS\system32\cdm.dll
2007-04-17 02:43:40 208,248 ----a-w F:\WINDOWS\system32\muweb.dll
2007-04-13 22:19:52 7,680 ----a-w F:\WINDOWS\system32\lsdelete.exe
2007-04-13 07:21:14 271,360 ----a-w F:\WINDOWS\system32\mscoree.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2007-02-18 23:22 97960 -ra------ F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 04:04 853672 --a------ F:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 06:43 501400 --a------ F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 13:43]
"RemoteControl"="F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2007-04-27 12:41]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 06:43]
"MaxtorOneTouch"="F:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 08:45]
"@"="" []
"mxomssmenu"="F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 11:15]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"ccApp"="F:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-14 23:10]
"BDMCon"="F:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-07-12 00:41]
"BDAgent"="F:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"APVXDWIN"="F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2007-01-25 18:50]
"Symantec PIF AlertEng"="F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="F:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 18:18]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll --a------ 2006-07-14 13:46 45056 F:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpqnm]
rqrpqnm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
winrkp32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-07-05 15:21:00 F:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 13:26:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-13 13:27:33 - machine was rebooted
F:\ComboFix-quarantined-files.txt ... 2007-07-13 13:27

--- E O F ---


******* NEW Hijack this log ***********

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:13 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Maxtor\Utils\SyncServices.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Softwin\BitDefender10\bdmcon.exe
F:\Program Files\Softwin\BitDefender10\bdagent.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
F:\Program Files\Skype\Phone\Skype.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Linksys\CIT200\cit200.exe
F:\Program Files\Softwin\BitDefender10\vsserv.exe
F:\Program Files\Skype\Plugin Manager\skypePM.exe
f:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [CTSysVol] F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BDMCon] "F:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [APVXDWIN] "F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CIT200.lnk = F:\Program Files\Linksys\CIT200\cit200.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182885291203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182992119421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqrpqnm - rqrpqnm.dll (file missing)
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - F:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Panda Software Controller - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 10539 bytes

#5 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:07:25 PM

Posted 13 July 2007 - 08:01 PM

Hello tobias.armstrong,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download OTMoveIt by Oldtimer and save it to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - Winlogon Notify: rqrpqnm - rqrpqnm.dll (file missing)
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Run OTMoveIt:
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
F:\WINDOWS\system32\ogkjpfne.dll
F:\WINDOWS\system32\iwoamwvr.dll
F:\WINDOWS\system32\mljwiybq.dll
F:\WINDOWS\system32\soowvtvb.dll
F:\WINDOWS\system32\kslaugjv.dll
F:\WINDOWS\system32\naegjqvn.dll
F:\WINDOWS\system32\vwtklnfh.dll
F:\WINDOWS\system32\kjtuupxu.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)
Click the red Moveit! button.
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Reboot into Normal Mode.

In your next reply please include the following:
  • A new Hijackthis log.
  • The OTMoveIt log.

Posted Image

#6 tobias.armstrong

tobias.armstrong
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 13 July 2007 - 11:15 PM

There's a saying - "Progress not perfection" - are we at least getting a little closer though? Whatever I did to this beast, I really screwed the pooch! I followed your instructions in the previous post and have posted the logs requested below. One note - the Hijackthis log posted below is AFTER I made all of the changes you instructed...

THANK YOU FOR ALL OF YOUR HELP!!!


***** OTMoveIt LOG: *******
DllUnregisterServer procedure not found in F:\WINDOWS\system32\ogkjpfne.dll
F:\WINDOWS\system32\ogkjpfne.dll NOT unregistered.
F:\WINDOWS\system32\ogkjpfne.dll moved successfully.
DllUnregisterServer procedure not found in F:\WINDOWS\system32\iwoamwvr.dll
F:\WINDOWS\system32\iwoamwvr.dll NOT unregistered.
F:\WINDOWS\system32\iwoamwvr.dll moved successfully.
DllUnregisterServer procedure not found in F:\WINDOWS\system32\mljwiybq.dll
F:\WINDOWS\system32\mljwiybq.dll NOT unregistered.
F:\WINDOWS\system32\mljwiybq.dll moved successfully.
DllUnregisterServer procedure not found in F:\WINDOWS\system32\soowvtvb.dll
F:\WINDOWS\system32\soowvtvb.dll NOT unregistered.
F:\WINDOWS\system32\soowvtvb.dll moved successfully.
DllUnregisterServer procedure not found in F:\WINDOWS\system32\kslaugjv.dll
F:\WINDOWS\system32\kslaugjv.dll NOT unregistered.
F:\WINDOWS\system32\kslaugjv.dll moved successfully.
DllUnregisterServer procedure not found in F:\WINDOWS\system32\naegjqvn.dll
F:\WINDOWS\system32\naegjqvn.dll NOT unregistered.
F:\WINDOWS\system32\naegjqvn.dll moved successfully.
DllUnregisterServer procedure not found in F:\WINDOWS\system32\vwtklnfh.dll
F:\WINDOWS\system32\vwtklnfh.dll NOT unregistered.
F:\WINDOWS\system32\vwtklnfh.dll moved successfully.
DllUnregisterServer procedure not found in F:\WINDOWS\system32\kjtuupxu.dll
F:\WINDOWS\system32\kjtuupxu.dll NOT unregistered.
F:\WINDOWS\system32\kjtuupxu.dll moved successfully.

Created on 07/14/2007 00:09:00

***** New Hijackthis Log *****
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:43 AM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Maxtor\Utils\SyncServices.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Softwin\BitDefender10\bdmcon.exe
F:\Program Files\Softwin\BitDefender10\bdagent.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
F:\Program Files\Skype\Phone\Skype.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Linksys\CIT200\cit200.exe
F:\Program Files\Skype\Plugin Manager\skypePM.exe
f:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Softwin\BitDefender10\vsserv.exe
F:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [CTSysVol] F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BDMCon] "F:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [APVXDWIN] "F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CIT200.lnk = F:\Program Files\Linksys\CIT200\cit200.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182885291203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182992119421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - F:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Panda Software Controller - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 10524 bytes

#7 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:07:25 PM

Posted 14 July 2007 - 12:39 AM

Hello tobias.armstrong,

We're getting close to completion, just a bit more to do :thumbsup:

Please do an online scan with Kaspersky WebScanner Please note: You MUST use Internet Explorer for this scan to work. )

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image

#8 tobias.armstrong

tobias.armstrong
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 14 July 2007 - 12:17 PM

Below is the Kaspersky report. This infection is indestructable - it lives on!!! Thank you yet again for your help rooting it out!


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 14, 2007 1:10:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/07/2007
Kaspersky Anti-Virus database records: 362288
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 37952
Number of viruses found: 2
Number of infected objects: 1
Number of suspicious objects: 4
Duration of the scan process: 00:39:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip ZIP: suspicious - 1 skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\45784C42.TMP Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZM4JOLOA\index[1].htm Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Bitdefender\Desktop\Profiles\asdict.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\cert8.db Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\formhistory.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\history.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\key3.db Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\parent.lock Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\search.sqlite Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\urlclassifier2.sqlite Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Skype\tobias_armstrong\call256.dbb Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Skype\tobias_armstrong\callmember256.dbb Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Skype\tobias_armstrong\contactgroup256.dbb Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Skype\tobias_armstrong\dyncontent\bundle.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Skype\tobias_armstrong\index2.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Skype\tobias_armstrong\profile256.dbb Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Application Data\Skype\tobias_armstrong\user256.dbb Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\Cache\_CACHE_001_ Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\Cache\_CACHE_002_ Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\Cache\_CACHE_003_ Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5t4ji96.default\Cache\_CACHE_MAP_ Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\History\History.IE5\MSHist012007071420070715\index.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\G2S81G8U\masiyxanidi[1] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\SID93BG6\masiyxanidi[1] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\SID93BG6\masiyxanidi[2] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\SID93BG6\_affvm[1] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\SID93BG6\_affvm[2] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\SID93BG6\_affvm[3] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\TLTMZ7XT\masiyxanidi[1] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\TLTMZ7XT\masiyxanidi[2] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\TLTMZ7XT\_affvm[1] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\TLTMZ7XT\_affvm[2] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\ZYJOTHY8\masiyxanidi[1] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\ZYJOTHY8\masiyxanidi[2] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\ZYJOTHY8\masiyxanidi[3] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\ZYJOTHY8\_affvm[1] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\Local Settings\Temporary Internet Files\Content.IE5\ZYJOTHY8\_affvm[2] Object is locked skipped
F:\Documents and Settings\Tobi and Omar\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Tobi and Omar\ntuser.dat.LOG Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\Bonus\Log\Shazam.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
F:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
F:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
F:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
F:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
F:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
F:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
F:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
F:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
F:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
F:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
F:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
F:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
F:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
F:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
F:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
F:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
F:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
F:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
F:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
F:\Program Files\Panda Software\Panda Antivirus 2007\66dea96eddcb9ca25afdc2fa956fb844PSK_NAMES Object is locked skipped
F:\Program Files\Panda Software\Panda Antivirus 2007\66dea96eddcb9ca25afdc2fa956fb844PSK_NAMES2 Object is locked skipped
F:\Program Files\Softwin\BitDefender10\aspdict.dat Object is locked skipped
F:\QooBox\Quarantine\F\WINDOWS\system32\gebyw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.af skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\bdss.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\Internet.evt Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\Temp\JETA501.tmp Object is locked skipped
F:\WINDOWS\Temp\JETA56F.tmp Object is locked skipped
F:\WINDOWS\Temp\tmp00003237\tmp00000000 Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#9 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:07:25 PM

Posted 14 July 2007 - 08:14 PM

Hello tobias.armstrong,

Please delete the following folder:

F:\QooBox

Please post back with a fresh HJT log and an update on how your computer is running.
Posted Image

#10 tobias.armstrong

tobias.armstrong
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 14 July 2007 - 09:02 PM

Done and done... No crazy popups for that last little while, and no hijacked browser problems. I am going to do some serious surfing and see what happens and report back...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:37 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Maxtor\Utils\SyncServices.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Softwin\BitDefender10\bdmcon.exe
F:\Program Files\Softwin\BitDefender10\bdagent.exe
F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Linksys\CIT200\cit200.exe
F:\Program Files\Skype\Plugin Manager\skypePM.exe
f:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
F:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Softwin\BitDefender10\vsserv.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [CTSysVol] F:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] F:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "F:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BDMCon] "F:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [APVXDWIN] "F:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CIT200.lnk = F:\Program Files\Linksys\CIT200\cit200.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182885291203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182992119421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - F:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Panda Software Controller - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - F:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 10554 bytes

#11 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:07:25 PM

Posted 14 July 2007 - 09:09 PM

Hello tobias.armstrong,

Your HJT log is now clean, let me know if you notice any more malware related issues.
Posted Image

#12 tobias.armstrong

tobias.armstrong
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 14 July 2007 - 09:42 PM

Talk about a long long journey!!!

One question for you, I still have BitDefender and Panda Antivirus installed, as well as Norton 360 which was my security software before the infection. All that antivirus stuff seems to be arm wrestling with each other and slowing the computer down to a crawl at times. I would like to uninstall Panda and BitDefender and go with the Norton 360. I also run Spybot and Ad-Aware about once a week or so. Does this sound like an okay scenario?

Also - THANK YOU! I am sure you hear it a lot, but I cannot thank you enough!!! I could not figure this out for the life of me, and am grateful for your expert assistance! The community based aspect of what you do is also really amazing - when you have trouble like this there is not much to support you other than the obvious impersonal big companies. You can certainly count on a donation from me!!!

#13 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:07:25 PM

Posted 14 July 2007 - 11:53 PM

Hello tobias.armstrong,

One question for you, I still have BitDefender and Panda Antivirus installed, as well as Norton 360 which was my security software before the infection. All that antivirus stuff seems to be arm wrestling with each other and slowing the computer down to a crawl at times. I would like to uninstall Panda and BitDefender and go with the Norton 360. I also run Spybot and Ad-Aware about once a week or so. Does this sound like an okay scenario?

Yeah, it's never a good idea to run more then one anti-virus at a time, that sounds like an excellent scenario.

Also - THANK YOU! I am sure you hear it a lot, but I cannot thank you enough!!! I could not figure this out for the life of me, and am grateful for your expert assistance! The community based aspect of what you do is also really amazing - when you have trouble like this there is not much to support you other than the obvious impersonal big companies. You can certainly count on a donation from me!!!

You'd be surprised, there are days I here more whining then I do thanks, but that is obviously not the case here. I would say the people that actually do donate are maybe one in fifty or so, that would definitely put you in the minority with a nice big juicy $25.00 deposit into my paypal account, that has been dormant until just a few hours ago. I thank you very much for the donation, you have my gratitude, if you ever need help with anything in the future, just shoot me a pm. Once again my thanks.
Posted Image

#14 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:07:25 PM

Posted 25 July 2007 - 03:13 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users