how-to block ads
|
fjr1966
join:2008-04-24
Dublin, OH
| HJT LOG - PC sends out massive random emails, locks up!
After a routine reboot, system started sending our massive emails all on its own, email client – Outlook Express – can be open or not…does not make any difference.
Many pops ups by Norton AV alerting me “outgoing email is being scanned” until system locks up. I followed these steps from Mandatory Steps #13616. (Some could not be completed, but all were attempted.)
1. Installed Spybot S&D and ran as prescribed per directions in step 1a. All steps were successful.
2. Ran Ad-aware 2007 as prescribed per directions in 1b. All steps were successful.
3. Unable to install Windows Defender, errors out and quits when attempting install.
4. AVG Anti-spyware with 14-day free trial no longer avail. Tried updated version and would not install.
5. Performed ESET online scan…removed and deleted 66 items. Log.txt file saved as required.
6. Etrust Web Scanner, unable to run. Error.
7. Trend Micro free online scan completed…17 items found and removed.
8. Rebooted system, problem still remains.
9. Performed step to download and install HijackThis; performed scan and saved log.
10. Additional information: When running a Google search and clicking through to desired URL, browser redirects to other spam URL;sometimes. Homepage has NOT been hijacked or changed. It has remained constant.
I think my system is infected or hijacked and need help. I am a research author who works from home and cannot afford to do a clean install. Please help. Thank you!
---------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:25 PM, on 4/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7F38CA7E-C0E2-4638-BE3A-E9CD85DD1121} - c:\windows\system32\dswavec.dll
O2 - BHO: (no name) - {B1C8DEA1-A3AA-4549-B165-9856CFD00111} - C:\WINDOWS\System32\cfgmgr32f.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - »supportcenter.rr.com/sdccommon/d···tlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - »www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »software-dl.real.com/172a026fd0a···E601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - »www.aebn.net/ws/DownloadCoach/dc···tall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···83166671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···96885812
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - »entimg.msn.com/client/msnediag2918.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »pcpitstop.com/mhLbl.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - »support.gateway.com/eSupport/sta···nch2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - »www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - »www.byteshop.com:8081/plugin/h263ctrl.cab
O16 - DPF: {B41059F3-1704-45E3-88F2-6A297F7153FC} (XLoader Control) - »www.testout.com/portal/AllUsers/XLoader.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - »h30043.www3.hp.com/hpdj/en/check···.cab?323
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - »entimg.msn.com/client/msnmusax2918.cab
O16 - DPF: {FCE90474-8B60-445B-A2B5-57E289BCEA42} (SmartDownloader Control) - »www.downloadcoach.com/SmartDownloader.cab
O20 - Winlogon Notify: qzvntkva - C:\WINDOWS\SYSTEM32\dswavec.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/FRANK/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
--
End of file - 8639 bytes
-----------------------
ESET RESULTS:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3052 (20080424)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=6211970585b6124d85837d4130aae6fe
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-04-24 07:55:25
# local_time=2008-04-24 03:55:25 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 1
# scanned=247904
# found=66
# scan_time=3860
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »install_soundfil.exe Win32/TrojanDownloader.Mendwar.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »apropos_client_loader.exe probably a variant of Win32/Adware.Apropos.downloader application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »install_soundfil.exe Win32/TrojanDownloader.Mendwar.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »apropos_client_loader.exe probably a variant of Win32/Adware.Apropos.downloader application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »install_soundfil.exe Win32/TrojanDownloader.Mendwar.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »apropos_client_loader.exe probably a variant of Win32/Adware.Apropos.downloader application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »install_soundfil.exe Win32/TrojanDownloader.Mendwar.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »apropos_client_loader.exe probably a variant of Win32/Adware.Apropos.downloader application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\ctxad.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\ctxad.exe »NSIS »NDrv.dll a variant of Win32/Adware.PurityScan application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\ctxad.exe »NSIS »NDrv.exe a variant of Win32/Adware.PurityScan application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\ctxad.exe »NSIS »PsUninstaller.exe probably a variant of Win32/Adware.PurityScan application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\gd155d.exe probably a variant of Win32/Zapchast trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\istdnld.exe Win32/TrojanDownloader.IstBar.AP1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\mit2D3.tmp a variant of Win32/Adware.Mirar application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\mit2D3.tmp »CAB »NNBar_VCSetup_876075.exe a variant of Win32/Adware.Mirar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\mit2D3.tmp.cab a variant of Win32/Adware.Mirar application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\mit2D3.tmp.cab »CAB »NNBar_VCSetup_876075.exe a variant of Win32/Adware.Mirar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\NNBar_VCSetup_876075.exe a variant of Win32/Adware.Mirar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\SuperBarInstall.exe Win32/Adware.SuperBar.A application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\SuperBarInstall.exe »NSIS »ýŒ€ Win32/Adware.SuperBar.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\tb_setup.exe Win32/Adware.HuntBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\Local Settings\Temp\ICD1.tmp\installer_MARKETING11.exe Win32/TrojanDownloader.Adload.A.gen trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\My Documents\Computer Tools\Internet Tools\agmfree.exe Win32/Adware.Aureate application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\My Documents\Computer Tools\Internet Tools\agmfree.exe »ZIP »AJJ.EXE Win32/Adware.Aureate application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\My Documents\Computer Tools\Internet Tools\agmfree.exe »ZIP »AJJ.EXE Win32/Adware.Aureate application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\FRANK\My Documents\Computer Tools\Internet Tools\agmfree.exe »ZIP »ADVERT.DLL Win32/Adware.Aureate application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\all_files4.exe »NSIS »install_soundfil.exe Win32/TrojanDownloader.Mendwar.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\all_files4.exe »NSIS »apropos_client_loader.exe probably a variant of Win32/Adware.Apropos.downloader application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\Data\all_files4.exe »NSIS »install_soundfil.exe Win32/TrojanDownloader.Mendwar.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HelpAssistant\My Documents\Data\Data\all_files4.exe »NSIS »apropos_client_loader.exe probably a variant of Win32/Adware.Apropos.downloader application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\Common Files\fzkf\fzkfd\vocabulary Win32/TrojanDownloader.TSUpdate.J trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1232131049-2556053944-2317078862-500\Dc1.exe a variant of Win32/Adware.SpySheriff application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Downloaded Program Files\installer_MARKETING11.exe Win32/TrojanDownloader.Adload.A.gen trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Ahm8.exe Win32/VB.NB1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Awav20.exe Win32/VB.NB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\DluL.exe Win32/VB.NB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Gekd3L.exe Win32/VB.NB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Ixc1.exe Win32/VB.NB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\KdfL6BY.exe Win32/VB.NB1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Szw2E5.exe Win32/VB.NB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Whn5y.exe Win32/VB.NB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\YmxB.exe Win32/VB.NB1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\kbd.sys probably a variant of Win32/Injector.V trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\Computer Tools\Internet Tools\agmfree.exe Win32/Adware.Aureate application (deleted) 00000000000000000000000000000000
D:\Computer Tools\Internet Tools\agmfree.exe »ZIP »AJJ.EXE Win32/Adware.Aureate application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\Computer Tools\Internet Tools\agmfree.exe »ZIP »AJJ.EXE Win32/Adware.Aureate application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\Computer Tools\Internet Tools\agmfree.exe »ZIP »ADVERT.DLL Win32/Adware.Aureate application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
edit:
April 24th, @07:14PM
| First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.
Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.
First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.
Malware Removal Steps
1. Open HijackThis again, System scan only. Checkmark these items:
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {7F38CA7E-C0E2-4638-BE3A-E9CD85DD1121} - c:\windows\system32\dswavec.dll
O2 - BHO: (no name) - {B1C8DEA1-A3AA-4549-B165-9856CFD00111} - C:\WINDOWS\System32\cfgmgr32f.dll
O20 - Winlogon Notify: qzvntkva - C:\WINDOWS\SYSTEM32\dswavec.dll
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/FRANK/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
Click "Fix checked" and when the log panel clears exit HijackThis.
2. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:
• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
3. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
Once downloaded, close all programs and Windows on your computer (including this one.)
Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.
4. Run HijackThis again, and save the log file.
Submit to the Forum:
• The contents of C:\Combofix.txt;
• The MBAM log;
• The reason Service Pack 2 is not installed;
• The new HijackThis log.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
fjr1966
join:2008-04-24
Dublin, OH
| reply to bcastner
Re: HJT LOG - PC sends out massive random emails, locks up!
Thank you for the reply. All steps as requested, in order, completed successfully. Logs requested below. SP2 not installed due to overwhelming difficulties with SP2 installation some time ago.
COMBO LOG
ComboFix 08-04-22.5 - FRANK 2008-04-25 0:05:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.193 [GMT -4:00]
Running from: C:\Documents and Settings\FRANK\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0000
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0001
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0002
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0003
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0004
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0005
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0006
C:\Program Files\Common Files\icroso~1.net\ICROSO~1.NET\ctxad-464.0007
C:\WINDOWS\system32\azip32.dll
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\RKWR64.sys
C:\WINDOWS\System32\dswavec.dll
C:\WINDOWS\system32\dzgtactx.dll
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\Tasks.\At1.job
----- BITS: Possible infected sites -----
hxxp://thenetworkcom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CYHNTPNZ
-------\Legacy_EXAMPLE
-------\Legacy_EXAMPLE1
-------\Legacy_RKWR64
-------\Legacy_RUNTIME
-------\Service_cyhntpnz
-------\Service_EXAMPLE1
-------\Service_Rkwr64
-------\Service_RKWR64
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.
2008-04-24 16:06 . 2008-04-24 16:10 d-------- C:\Program Files\Spyware Doctor
2008-04-24 16:06 . 2008-04-24 16:06 d-------- C:\Documents and Settings\FRANK\Application Data\PC Tools
2008-04-24 16:06 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-24 16:06 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-24 16:06 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-24 16:06 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-24 14:49 . 2008-04-24 15:55 d-------- C:\Program Files\EsetOnlineScanner
2008-04-24 08:07 . 2008-04-24 08:07 174 --a------ C:\WINDOWS\wininit.ini
2008-04-24 07:28 . 2008-04-24 07:28 d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-24 06:53 . 2008-04-24 06:53 d-------- C:\Program Files\SymNetDrv
2008-04-24 06:52 . 2005-07-29 09:56 124,168 --a------ C:\WINDOWS\system32\SymStore.dll
2008-04-24 06:49 . 2008-04-24 06:50 d-------- C:\Program Files\Norton AntiVirus
2008-04-24 06:49 . 2008-04-24 06:49 d-------- C:\Documents and Settings\FRANK\Application Data\Symantec
2008-04-24 06:49 . 2002-02-26 10:40 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-04-24 06:49 . 2002-02-26 10:40 58,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-24 06:49 . 2002-02-26 10:40 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-24 06:12 . 2008-04-24 06:12 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-24 06:08 . 2008-04-24 06:53 d-------- C:\Program Files\Symantec
2008-04-24 06:08 . 2008-04-24 06:55 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-24 06:08 . 2008-04-24 06:50 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 05:25 . 2002-02-26 10:40 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2008-04-24 04:45 . 2008-04-25 00:12 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-24 03:33 . 2002-12-11 15:16 88,064 --a------ C:\WINDOWS\system32\asferrorq.dll
2008-04-24 03:28 . 2008-04-24 03:28 29 --a------ C:\WINDOWS\system32\syfowhie.tmp
2008-04-24 03:27 . 2003-03-31 08:00 88,064 --a------ C:\WINDOWS\system32\cfgmgr32f.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 11:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 08:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-23 17:15 --------- d-----w C:\Documents and Settings\FRANK\Application Data\uTorrent
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2007-09-28 18:40 57,760 ----a-w C:\Documents and Settings\FRANK\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2006-12-25 03:11 16384]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-30 13:50 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"nwiz"="nwiz.exe" [2004-03-24 10:04 782336 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-03-24 10:04 46080]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-03-24 10:04 3309568]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 06:50 155648]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 12:39 98304]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 05:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 04:08 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 01:20 55296 C:\WINDOWS\SOUNDMAN.EXE]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-08-15 17:59 374688]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27 75384]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-04-24 06:53 95960]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPGL"= jpgl.dll
"vidc.xvid"= xvid.dll
"VIDC.I263"= i263_32.drv
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7il]
C:\WINDOWS\system32\7il.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoProp]
--------- 2001-07-16 07:50 36864 C:\PROGRA~1\MICROS~2\Office\bots\fp_wmp\regprop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--------- 2006-07-11 06:06 3144800 C:\Program Files\ICQLite\ICQLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool]
C:\WINDOWS\9129837.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--------- 2003-12-01 12:38 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 23:57]
R3 QCPro;Logitech QuickCam Pro USB(PID_D001);C:\WINDOWS\System32\DRIVERS\p35u.sys [2001-09-24 12:42]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 10:50:56 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-25 00:12:24
Windows 5.1.2600 Service Pack 1 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2008-04-25 0:18:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 04:18:45
Pre-Run: 65,896,796,160 bytes free
Post-Run: 66,456,514,560 bytes free
161
MBAM LOG
Malwarebytes' Anti-Malware 1.11
Database version: 679
Scan type: Quick Scan
Objects scanned: 35883
Time elapsed: 6 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\whInstall (Adware.WebHancer) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\whInstall\license.txt (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\whInstall\readme.txt (Adware.WebHancer) -> Quarantined and deleted successfully.
HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:10 AM, on 4/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - »supportcenter.rr.com/sdccommon/d···tlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - »www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »software-dl.real.com/172a026fd0a···E601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - »www.aebn.net/ws/DownloadCoach/dc···tall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···83166671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···96885812
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - »entimg.msn.com/client/msnediag2918.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »pcpitstop.com/mhLbl.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - »support.gateway.com/eSupport/sta···nch2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - »www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - »www.byteshop.com:8081/plugin/h263ctrl.cab
O16 - DPF: {B41059F3-1704-45E3-88F2-6A297F7153FC} (XLoader Control) - »www.testout.com/portal/AllUsers/XLoader.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - »h30043.www3.hp.com/hpdj/en/check···.cab?323
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - »entimg.msn.com/client/msnmusax2918.cab
O16 - DPF: {FCE90474-8B60-445B-A2B5-57E289BCEA42} (SmartDownloader Control) - »www.downloadcoach.com/SmartDownloader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 8877 bytes | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to fjr1966
Service Pack 3 for XP was just released, and will be available for dowload and through Windows Update next week. Please install this through a direct download when available. The main Security Forum page will not when this happens. If you have any problems installing SP3, start a new topic here. I helped over 1200 people install SP2 through Forum assistance, and not one of them was unable to do so with assistance. Your computer was massively infected, and a lot of this would have been avoided with SP2 installed.
What is the status of your Norton installation? Is this a new installation? You show a great deal of recent file updates. Please advise if your subscription is current, and that Norton is updated and working properly.
1. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":
Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:
When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
2. Kaspersky Online Scanner
Go Here --- »www.kaspersky.co.uk/virusscanner
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then take a long walk! Do not use the computer until the scan is finished.
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
3. Use the Norton Live Update feature and make sure you are current on definitions.
Boot to Safe Mode and scan your computer as thoroughly as Norton permits.
Post back to the Forum the results of C:\Combofix.txt, and the Kaspersky scan results.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
fjr1966
join:2008-04-24
Dublin, OH
| Results of Combofix and the Kaspersky scan are below. I will attempt the SP3 update as soon as possible and time allowed. If I have any problems with the update, I will be sure to start a new topic thread for help. Norton AV was recently reinstalled. It would not update and showed “error” in the email scanning section all the time. Norton AV online help desk had me do a reinstall. However, I now see that although the Norton AV live update, even after the reinstall, said it was current, actually, when paging through the definitions, was woefully out-of-date. After we performed all of the steps prescribed on this forum, I ran a manual install, from Norton AV’s website and the definitions are, in fact, now completely up-to-date. I ran Norton AV again and it found a number of viruses previously not detected. (I run Norton AV every week for a full scan and it remains resident so as to detect any real-time viral events and fix and/or quarantine them.) I am sure this was due to the fact that my best educated guess is that the Norton AV definitions were more than 6 months outdated. I am also fairly confident, with your help, we have eradicated and cured most of the ailments my PC was afflicted with, and the original problem I posted about has ceased to resurface. I await any further instructions after you view the logs from the latest scans. Thank you.
COMBOFIX LOG
*******************************
ComboFix 08-04-22.5 - FRANK 2008-04-25 16:10:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.285 [GMT -4:00]
Running from: C:\Documents and Settings\FRANK\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\FRANK\Desktop\CFscript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\asferrorq.dll
C:\windows\SYSTEM32\BLACKBOXL.DLL
C:\windows\SYSTEM32\cfgmgr32f.dll
C:\windows\SYSTEM32\CFGMGR32F.DLL
C:\windows\SYSTEM32\COMPATUIP.DLL
C:\windows\SYSTEM32\KBDPOV.DLL
C:\WINDOWS\system32\syfowhie.tmp
C:\WINDOWS\wininit.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\asferrorq.dll
C:\windows\SYSTEM32\cfgmgr32f.dll
C:\WINDOWS\system32\syfowhie.tmp
C:\WINDOWS\wininit.ini
.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.
2008-04-25 00:25 . 2008-04-25 00:25 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 00:25 . 2008-04-25 00:25 d-------- C:\Documents and Settings\FRANK\Application Data\Malwarebytes
2008-04-25 00:25 . 2008-04-25 00:25 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 16:06 . 2008-04-25 07:13 d-------- C:\Program Files\Spyware Doctor
2008-04-24 16:06 . 2008-04-24 16:06 d-------- C:\Documents and Settings\FRANK\Application Data\PC Tools
2008-04-24 16:06 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-24 16:06 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-24 16:06 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-24 16:06 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-24 14:49 . 2008-04-24 15:55 d-------- C:\Program Files\EsetOnlineScanner
2008-04-24 07:28 . 2008-04-24 07:28 d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-24 06:53 . 2008-04-24 06:53 d-------- C:\Program Files\SymNetDrv
2008-04-24 06:52 . 2005-07-29 09:56 124,168 --a------ C:\WINDOWS\system32\SymStore.dll
2008-04-24 06:49 . 2008-04-24 06:50 d-------- C:\Program Files\Norton AntiVirus
2008-04-24 06:49 . 2008-04-24 06:49 d-------- C:\Documents and Settings\FRANK\Application Data\Symantec
2008-04-24 06:49 . 2002-02-26 10:40 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-04-24 06:49 . 2002-02-26 10:40 58,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-24 06:49 . 2002-02-26 10:40 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-24 06:12 . 2008-04-24 06:12 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-24 06:08 . 2008-04-24 06:53 d-------- C:\Program Files\Symantec
2008-04-24 06:08 . 2008-04-24 06:55 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-24 06:08 . 2008-04-24 06:50 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 05:25 . 2002-02-26 10:40 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2008-04-24 04:45 . 2008-04-25 17:03 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 11:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 08:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-23 17:15 --------- d-----w C:\Documents and Settings\FRANK\Application Data\uTorrent
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2007-09-28 18:40 57,760 ----a-w C:\Documents and Settings\FRANK\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-04-25_ 0.17.47.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 04:10:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 20:13:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-24 07:37:19 41,708 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-25 04:13:47 41,708 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-24 07:37:19 314,710 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-25 04:13:47 314,710 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2006-12-25 03:11 16384]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-30 13:50 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"nwiz"="nwiz.exe" [2004-03-24 10:04 782336 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-03-24 10:04 46080]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-03-24 10:04 3309568]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 06:50 155648]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 12:39 98304]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 05:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 04:08 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 01:20 55296 C:\WINDOWS\SOUNDMAN.EXE]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-08-15 17:59 374688]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27 75384]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-04-24 06:53 95960]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-12-25 03:11:09 169472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPGL"= jpgl.dll
"vidc.xvid"= xvid.dll
"VIDC.I263"= i263_32.drv
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7il]
C:\WINDOWS\system32\7il.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoProp]
--------- 2001-07-16 07:50 36864 C:\PROGRA~1\MICROS~2\Office\bots\fp_wmp\regprop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--------- 2006-07-11 06:06 3144800 C:\Program Files\ICQLite\ICQLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool]
C:\WINDOWS\9129837.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--------- 2003-12-01 12:38 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 23:57]
R3 QCPro;Logitech QuickCam Pro USB(PID_D001);C:\WINDOWS\System32\DRIVERS\p35u.sys [2001-09-24 12:42]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 10:50:56 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-25 17:02:32
Windows 5.1.2600 Service Pack 1 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2008-04-25 17:14:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 21:14:02
ComboFix2.txt 2008-04-25 04:18:52
Pre-Run: 66,407,792,640 bytes free
Post-Run: 66,450,685,952 bytes free
155
KASPERSKY REPORT
*************************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 6:55:12 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/04/2008
Kaspersky Anti-Virus database records: 725571
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 88522
Number of viruses found: 5
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 01:19:48
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-25_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\FRANK\Application Data\Sun\Java\Deployment\cache\6.0\41\14123b69-28de183b Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\FRANK\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\FRANK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\FRANK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\FRANK\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\FRANK\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
C:\Documents and Settings\FRANK\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\FRANK\My Documents\Computer Tools\SYSTEM TOOLS\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\FRANK\My Documents\Computer Tools\SYSTEM TOOLS\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\FRANK\My Documents\Computer Tools\SYSTEM TOOLS\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\FRANK\My Documents\Computer Tools\SYSTEM TOOLS\keyfinder.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\FRANK\ntuser.dat Object is locked skipped
C:\Documents and Settings\FRANK\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\L0000003.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\FRANK\Data\storydb.idx Object is locked skipped
C:\Program Files\Messenger\kygeta.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AAF073F.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AAF073F.exe/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AAF073F.exe/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AAF073F.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AAF073F.exe RarSFX: infected - 4 skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AAF073F.exe Crypt.Quarantine: infected - 4 skipped
C:\Program Files\Windows NT\hodyrugo.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\QooBox\Quarantine\catchme2008-04-25_ 00911.26.zip/RKWR64.sys Infected: Rootkit.Win32.Agent.aih skipped
C:\QooBox\Quarantine\catchme2008-04-25_ 00911.26.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP13\A0000032.dll Infected: Trojan-Spy.Win32.Agent.bzy skipped
C:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Computer Tools\SYSTEM TOOLS\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Computer Tools\SYSTEM TOOLS\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Computer Tools\SYSTEM TOOLS\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Computer Tools\SYSTEM TOOLS\keyfinder.exe RarSFX: infected - 3 skipped
D:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000150.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000150.exe/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000150.exe/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000150.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000150.exe RarSFX: infected - 4 skipped
D:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\change.log Object is locked skipped
G:\SYSTEM TOOLS\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
G:\SYSTEM TOOLS\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
G:\SYSTEM TOOLS\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
G:\SYSTEM TOOLS\keyfinder.exe RarSFX: infected - 3 skipped
G:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000151.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
G:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000151.exe/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
G:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000151.exe/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
G:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000151.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
G:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\A0000151.exe RarSFX: infected - 4 skipped
G:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\change.log Object is locked skipped
H:\System Volume Information\_restore{DDC2EB08-1B46-4CD4-8582-F7D631FA6E0E}\RP14\change.log Object is locked skipped
Scan process completed. | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to fjr1966
DISABLE Spyware Doctor --
It is a good program, but ... it may hinder the removal of some malware entries. You can re-enable it after you're clean.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".
1. Using your mouse, left click once where it says: Copy to clipboard to capture the entire contents of the Code box below, including blank lines:
Open a new Notepad document. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "RegFix.REG". Exit Notepad.
Double click your new file and agree to the registry merge when asked. You can then delete this new file.
2. Using your mouse, Highlight and then Right-click | Copy the entire contents of the Quote box below, including blank lines:
quote:
@echo off
cd %~dp0
REM :!: malware removal script only for this user
REM :!: Please do not use.
REM :!: Unintended consequences are likely if you are not this user.
REM :!: Authored by Bill Castner, BroadBandReports Forum
@echo off
cd %~dp0
del /a /f /q C:\Program Files\Messenger\kygeta.html
del /a /f /q C:\Documents and Settings\FRANK\My Documents\Computer Tools\SYSTEM TOOLS\keyfinder.exe
del /a /f /q D:\Computer Tools\SYSTEM TOOLS\keyfinder.exe
del /a /f /q G:\SYSTEM TOOLS\keyfinder.exe
del %0
exit
Open a new Notepad document. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Quote box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "Cleanit.cmd". Exit Notepad.
Double click your new file to run the script. It will briefly open a black box and then exit..
3. Please download AproposFix from here:
Save it to your desktop but do not run it yet.
Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please post the entire contents of the log.txt file in the aproposfix folder.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
fjr1966
join:2008-04-24
Dublin, OH
| Spyware Doctor has been disabled whenever I am executing the instructions you have been providing me to this point. Items 1, 2 & 3 have been completed. Log from aproposfix.exe provided below. Thank you. 
************************
Log of AproposFix v1.1
************
Running from directory:
C:\Documents and Settings\FRANK\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished! | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to fjr1966
Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html
Clean-up & Prevention:
• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.
• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)
• Run ATF Cleaner  , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.
• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.
Best wishes.
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
|
