Thread: Help, my computer has been hijacked!
View Single Post
Old 11-25-2007, 02:34 PM   #1 (permalink)
Cookie Monster
Registered User
 
Join Date: Sep 2007
Location: Colorado
Posts: 34
OS: XP Pro


Help, my computer has been hijacked!
This is a PC running Windows XP Pro sp2 and Norton Antivirus 2005.
Something took over this computer and expired my Norton AV subscription even though there is still 8 or 9 months left to it. I tried reactivating Norton once but it lasted all but 30 seconds and expired again. The culprits have also hijacked my browser and installed a toolbar titled "Security Toolbar 7.1" which states I have a security level of 4 out of 10. Popups keep telling me I have a virus and ask me to click Okay if I want to download antivirus software to remove it. Can someone help?




Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\windows\system32\obxvrmxk.dll
Adware:Adware/Yazzle Not disinfected c:\windows\mrofinu1188.exe
Spyware:Spyware/Virtumonde Not disinfected C:\windows\system32\bqirdjtw.exe
Spyware:Spyware/Virtumonde Not disinfected C:\windows\system32\eorkllwp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\windows\system32\vvwaubit.dll
Spyware:Spyware/Vundo Not disinfected C:\windows\system32\nnnopom.dll
Spyware:Spyware/Virtumonde Not disinfected C:\windows\system32\mstnpjjt.dll
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/myglobalsearch Not disinfected c:\program files\MyGlobalSearch
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA}
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@247realmedia[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@ads.pointroll[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@adserver.easyad[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@advertising[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@azjmp[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@bs.serving-sys[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@ccbill[1].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@citi.bridgetrack[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@fastclick[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@findwhat[1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@hc2.humanclick[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@hotlog[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@landing.domainsponsor[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@yadro[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Dan the Man\Cookies\dan the man@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Dan the Man\Desktop\Downloads\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Dan the Man\Desktop\Downloads\ComboFix.exe[nircmd.cfexe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Dan the Man\Local Settings\Temp\jvyqgatw.exe
Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Documents and Settings\Dan the Man\Local Settings\Temp\mofugclq.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Dan the Man\Local Settings\Temp\sbbvtwtc.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Dan the Man\Local Settings\Temporary Internet Files\Content.IE5\MFKZ6LSB\pochki20071106[1]
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Dan the Man\Local Settings\Temporary Internet Files\Content.IE5\WT8949KL\mrofinu[1].zip[mrofinu.exe]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Dan the Man\Shared\us topo mapsource windows Bittorrent downloader.zip[BitDownload fastets Bittorrent downloader.exe]
Virus:Generic Trojan Not disinfected C:\Documents and Settings\Dan the Man\Shared\us topo mapsource windows Bittorrent downloader.zip[BitDownload fastets Bittorrent downloader.exe][sn_minime_1.exe]
Spyware:Cookie/Go Not disinfected C:\Old Files\Dad's Old Computer\DONOTUSE\Cookies\ken leisure@go(1).txt
Spyware:Cookie/Go Not disinfected C:\Old Files\Dad's Old Computer\DONOTUSE\Cookies\ken leisure@go.txt
Spyware:Cookie/Go Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@go[1].txt
Spyware:Cookie/Kount Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@kount[1].txt
Spyware:Cookie/Overture Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[3].txt
Spyware:Cookie/Overture Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[4].txt
Spyware:Cookie/Overture Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@perf.overture[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@tickle[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@tickle[2].txt
Spyware:Cookie/MyWay Not disinfected C:\Old Files\Dad's Old Computer\WINDOWS\Cookies\ken leisure@www.xzoomy[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Old Files\Previous Gateway Files\FILE00CB.CHK
Adware:Adware/SaveNow Not disinfected C:\Old Files\Program Files\BearShare\Installer\BSINSTALL.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ixemyies.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lblblemh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\medaevlo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tbexaqcu.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\txrlemhk.exe
Spyware:Cookie/Go Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\DONOTUSE\Cookies\ken leisure@go(1).txt
Spyware:Cookie/Go Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\DONOTUSE\Cookies\ken leisure@go.txt
Spyware:Cookie/Go Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@go[1].txt
Spyware:Cookie/Kount Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@kount[1].txt
Spyware:Cookie/Overture Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[1].txt
Spyware:Cookie/Overture Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[2].txt
Spyware:Cookie/Overture Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[3].txt
Spyware:Cookie/Overture Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@overture[4].txt
Spyware:Cookie/Overture Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@perf.overture[1].txt
Spyware:Cookie/Tickle Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@tickle[1].txt
Spyware:Cookie/Tickle Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@tickle[2].txt
Spyware:Cookie/MyWay Not disinfected H:\Documents and Settings\All Users\Documents\Dad's Old Computer\WINDOWS\Cookies\ken leisure@www.xzoomy[1].txt
Spyware:Cookie/Tribalfusion Not disinfected H:\Documents and Settings\All Users\Documents\Previous Gateway Files\FILE00CB.CHK
Adware:Adware/SaveNow Not disinfected H:\Documents and Settings\All Users\Documents\Program Files\BearShare\Installer\BSINSTALL.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected H:\hp\bin\KillIt.exe
Virus:Generic Malware Disinfected H:\Program Files\BearShare\Installer\BSInstall5.2.1.2.exe


Deckard's System Scanner v20070905.67
Run by Dan the Man on 2007-11-25 14:11:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Dan the Man.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:47 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\windows\system32\bqirdjtw.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\windows\system32\igfxtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\hkcmd.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\windows\system32\taskmgr.exe
C:\windows\mrofinu.exe
C:\Documents and Settings\Dan the Man\Desktop\Downloads\dss.exe
C:\DOCUME~1\DANTHE~1\Desktop\DOWNLO~1\DANTHE~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://defendingyourfaith.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {b474b19f-b32e-1b49-24a4-91d679ce8f74} - {47f8ec97-6d19-4a42-94b1-e23bf91b474b} - C:\windows\system32\hiotoytu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\windows\system32\mstnpjjt.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\windows\system32\nnnopom.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D3EED661-33CB-4FB3-83A7-537DF135C495} - C:\windows\system32\yayxw.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\windows\system32\mstnpjjt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [user bib mp3 plan] C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib\great bind.exe
O4 - HKLM\..\Run: [JUMP RECT SAVE PLAN] C:\Documents and Settings\All Users\Application Data\bags amen plan amok\1 Help Debug.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [runner1] C:\windows\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762E902BC9ED7286138F77F0F2CAD4EA481EF7F506DCD610837F810EBCA9D775A67
O4 - HKLM\..\Run: [Host Process] C:\windows\Fonts\svchost.exe
O4 - HKLM\..\Run: [c40b9bcf] rundll32.exe "C:\windows\system32\nrauutat.dll",b
O4 - HKCU\..\Run: [interrdr] C:\DOCUME~1\DANTHE~1\APPLIC~1\BROWSE~1\live close pile.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1146072999566
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport...ScapeTeleX.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: mstnpjjt - C:\windows\SYSTEM32\mstnpjjt.dll
O20 - Winlogon Notify: nnnopom - C:\windows\SYSTEM32\nnnopom.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\windows\system32\bqirdjtw.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8911 bytes

-- Files created between 2007-10-25 and 2007-11-25 -----------------------------

2007-11-25 14:09:08 79936 --a------ C:\windows\system32\hiotoytu.dll
2007-11-25 14:08:42 85056 --a------ C:\windows\system32\nrauutat.dll
2007-11-25 14:08:36 71232 --a------ C:\windows\system32\enbeexia.exe <Not Verified; ; DDC>
2007-11-25 14:08:18 71232 --a------ C:\windows\system32\jxocxnbi.exe <Not Verified; ; DDC>
2007-11-24 13:45:03 79936 --a------ C:\windows\system32\tvwpgfmh.dll
2007-11-24 13:44:18 85056 -----n--- C:\windows\system32\obxvrmxk.dll
2007-11-24 13:43:21 71232 --a------ C:\windows\system32\txrlemhk.exe <Not Verified; ; DDC>
2007-11-22 21:54:31 0 d-------- C:\Program Files\CCleaner
2007-11-22 21:53:17 85056 -----n--- C:\windows\system32\eorkllwp.dll
2007-11-22 21:53:11 79936 --a------ C:\windows\system32\krfswwxw.dll
2007-11-17 19:03:00 71232 --a------ C:\windows\system32\ixemyies.exe <Not Verified; ; DDC>
2007-11-16 18:05:54 79936 --a------ C:\windows\system32\uuattdjf.dll
2007-11-16 18:05:50 85056 -----n--- C:\windows\system32\vvwaubit.dll
2007-11-16 18:05:38 71232 --a------ C:\windows\system32\tbexaqcu.exe <Not Verified; ; DDC>
2007-11-16 00:43:27 436924 ---hs---- C:\windows\system32\wxyay.ini2
2007-11-15 16:15:51 0 d-------- C:\windows\system32\ActiveScan
2007-11-15 14:30:30 15 --a------ C:\windows\system32\c40b8941
2007-11-14 17:01:28 85056 --a------ C:\windows\system32\lblblemh.dll
2007-11-14 16:58:34 79424 --a------ C:\windows\system32\fvqetudd.dll
2007-11-14 16:57:52 35840 -ra------ C:\windows\mrofinu1188.exe
2007-11-14 15:57:54 79424 --a------ C:\windows\system32\lcbscxor.dll
2007-11-14 15:54:51 85056 --a------ C:\windows\system32\medaevlo.dll
2007-11-14 15:50:55 145984 --a------ C:\windows\system32\mstnpjjt.dll
2007-11-14 15:46:21 71232 --a------ C:\windows\system32\bqirdjtw.exe <Not Verified; ; DDC>
2007-11-14 15:38:01 36352 --a------ C:\windows\system32\nnnmnkj.dll
2007-11-14 15:22:53 79424 --a------ C:\windows\system32\jgbuqvrt.dll
2007-11-14 15:21:00 0 --a------ C:\Documents and Settings\Dan the Man\x.dat
2007-11-14 15:19:54 2152 --a------ C:\Documents and Settings\Dan the Man\z.dat
2007-11-10 08:13:29 433840 --ahs---- C:\windows\system32\wxyay.bak2
2007-11-08 20:12:05 445604 ---hs---- C:\windows\system32\wxyay.bak1
2007-11-08 20:09:01 316000 --a------ C:\windows\system32\yayxw.dll
2007-11-08 20:07:15 147456 --a------ C:\windows\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-11-08 20:04:08 134 --a------ C:\n.bat
2007-11-08 20:03:51 35328 --a------ C:\windows\system32\nnnopom.dll
2007-11-08 20:03:48 0 --a------ C:\x.dat
2007-11-08 20:03:33 0 --a------ C:\z.dat
2007-11-08 20:02:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 21:55:55 0 d-------- C:\Program Files\InterActual
2007-11-01 21:28:28 0 d-------- C:\Program Files\DIFX


-- Find3M Report ---------------------------------------------------------------

2007-11-25 03:30:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-24 19:01:02 0 d-------- C:\Program Files\QuickTime
2007-11-24 19:00:17 0 d-------- C:\Program Files\Norton AntiVirus
2007-11-24 18:49:28 0 d-------- C:\Program Files\iTunes
2007-11-24 18:48:14 0 d-------- C:\Program Files\Common Files\Teleca Shared
2007-11-22 21:48:27 0 d-------- C:\Program Files\Common Files
2007-11-22 21:17:08 0 d-------- C:\Documents and Settings\Dan the Man\Application Data\U3
2007-11-14 21:33:26 0 d-------- C:\Documents and Settings\Dan the Man\Application Data\LimeWire
2007-11-14 21:30:19 0 d-------- C:\Program Files\LimeWire
2007-10-24 23:10:23 0 d-------- C:\Documents and Settings\Dan the Man\Application Data\DivX
2007-10-24 2349 0 d-------- C:\Program Files\DivX
2007-10-19 20:20:12 0 d-------- C:\Documents and Settings\Dan the Man\Application Data\Wal-Mart Digital Photo Manager
2007-10-19 20:19:54 0 d-------- C:\Program Files\Common Files\HP
2007-10-19 20:19:49 0 d-------- C:\Program Files\Wal-Mart
2007-10-19 20:18:53 0 d-------- C:\Documents and Settings\Dan the Man\Application Data\Wal-Mart Digital Photo Viewer
2007-09-28 09:07:52 3596288 --a------ C:\windows\system32\qt-dx331.dll
2007-09-28 09:05:50 196608 --a------ C:\windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-09-28 09:05:50 81920 --a------ C:\windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-28 09:05:40 802816 --a------ C:\windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-28 09:05:40 823296 --a------ C:\windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-28 09:05:40 823296 --a------ C:\windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-28 09:05:40 739840 --a------ C:\windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-28 09:05:08 12288 --a------ C:\windows\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47f8ec97-6d19-4a42-94b1-e23bf91b474b}]
11/25/2007 02:09 PM 79936 --a------ C:\windows\system32\hiotoytu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
11/14/2007 03:50 PM 145984 --a------ C:\windows\system32\mstnpjjt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
11/08/2007 08:03 PM 35328 --a------ C:\windows\system32\nnnopom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3EED661-33CB-4FB3-83A7-537DF135C495}]
11/08/2007 08:09 PM 316000 --a------ C:\windows\system32\yayxw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\windows\system32\mstnpjjt.dll [11/14/2007 03:50 PM 145984]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [11/15/2001 10:00 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 10:46 PM]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [10/26/2005 05:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 09:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 06:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 03:00 AM]
"KernelFaultCheck"="C:\windows\system32\dumprep 0 -k" []
"IgfxTray"="C:\windows\system32\igfxtray.exe" [08/07/2001 11:25 PM]
"HotKeysCmds"="C:\windows\system32\hkcmd.exe" [08/07/2001 10:36 PM]
"user bib mp3 plan"="C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib\great bind.exe" [11/15/2007 03:50 PM]
"JUMP RECT SAVE PLAN"="C:\Documents and Settings\All Users\Application Data\bags amen plan amok\1 Help Debug.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 04:32 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [08/20/2007 10:53 AM]
"runner1"="C:\windows\mrofinu1188.exe" [11/23/2007 12:14 PM]
"Host Process"="C:\windows\Fonts\svchost.exe" []
"c40b9bcf"="C:\windows\system32\nrauutat.dll" [11/25/2007 02:08 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"interrdr"="C:\DOCUME~1\DANTHE~1\APPLIC~1\BROWSE~1\live close pile.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 12:04 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/31/2006 11:58:14 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\windows\system32\nnnopom.dll [11/08/2007 08:03 PM 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mstnpjjt]
mstnpjjt.dll 11/14/2007 03:50 PM 145984 C:\WINDOWS\system32\mstnpjjt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnopom]
nnnopom.dll 11/08/2007 08:03 PM 35328 C:\WINDOWS\system32\nnnopom.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\windows\system32\yayxw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" /pause


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf8b1cb4-8ff9-11db-a2f6-0001032879e4}]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf8b1cb5-8ff9-11db-a2f6-0001032879e4}]
AutoRun\command- K:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db054670-cb41-11da-a28c-806d6172696f}]
AutoRun\command- C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2007-11-25 14:15:13 ------------

Last edited by Cookie Monster; 11-25-2007 at 02:41 PM. Reason: typos
Cookie Monster is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here