Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Quick Help Needed! Quick Help Needed!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 05-10-2007, 11:29 AM   #1 (permalink)
Registered User
 
Join Date: Aug 2006
Posts: 17
OS: WinXP


Quick Help Needed!
Hi friends... Must return my buddy's 'puter... Zapped a Trojan Horse & Adawared & Spybotted... but check out the scarey log below... Only have an hour to dust .. no thorough cleaning today... Can You Help??!
Merci BowwwKoooo
Logfile of HijackThis v1.99.1
Scan saved at 11:25:12 AM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\FtrakSvc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\limewire\limewire.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\vp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Flightline
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000140.exe 61A847B5BBF72813329B385776F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Owner\MYDOCU~1\ECURIT~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Gszcf] "C:\Documents and Settings\Owner\My Documents\?ystem\n?tepad.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dllhost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FLiCA.Net - {D511EC27-CA32-4EB8-87E3-EEB5CAD42DFE} - http://www.FLiCA.Net (file missing) (HKCU)
O9 - Extra button: Flightline - {D895091A-C075-4130-B2EC-9B2C1F3112AF} - http://www.flightline.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://delta.flightline.com
O16 - DPF: eCrew Delta Technology V14240 - http://ecrew.delta-air.com/eCrew14240.cab
O16 - DPF: eCrew Delta Technology V14251 - http://ecrew.delta-air.com/eCrew14251.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/...l/MFImgVwr.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
saylahv is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-14-2007, 01:41 AM   #2 (permalink)
Analyst, Security Team
 
dorts's Avatar
 
Join Date: Mar 2006
Location: Singapore
Posts: 1,603
OS: Windows XP SP2

My System

Re: Quick Help Needed!
Hi and welcome to TSF.

My name is Keneth and I would be helping you clean up your computer.

I am currently reviewing your log and will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.
__________________




If you think TSF have helped you, please kindly donate to TSF and help keep this site free to all.
dorts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-14-2007, 01:53 AM   #3 (permalink)
Analyst, Security Team
 
dorts's Avatar
 
Join Date: Mar 2006
Location: Singapore
Posts: 1,603
OS: Windows XP SP2

My System

Re: Quick Help Needed!
Hello and welcome to TSF


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. Please stay with me until your system has been declared clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.



ComboFix

1. Download Combofix using this link.

* IMPORTANT !!! Place combofix.exe on your Desktop


2. Run combofix by clicking on combofix.exe on your desktop.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Logs

Please post the following logs in your next reply...
  • C:\combofix.txt
  • C:\Deckard\System Scanner\main.txt
  • C:\Deckard\System Scanner\extra.txt - Attached
__________________




If you think TSF have helped you, please kindly donate to TSF and help keep this site free to all.
dorts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-14-2007, 12:16 PM   #4 (permalink)
Registered User
 
Join Date: Aug 2006
Posts: 17
OS: WinXP


Re: Quick Help Needed!
Thank you Keneth!
I had to return the computer for a few days, so will do as instructed as soon as I get it back to cleeean...
You're the best!
--say
saylahv is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-16-2007, 03:01 PM   #5 (permalink)
Registered User
 
Join Date: Aug 2006
Posts: 17
OS: WinXP


Re: Quick Help Needed!
I'm back! and did what you said... so below is the combofix & Deckyard main logs..
You're terrific!
--say
"Owner" - 2007-05-16 13:55:14 Service Pack 2
ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\Owner\Desktop\vp\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\smpi1\win67.exe
C:\Temp\17O7\tmpTF.log
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINNT\system32\smpi1
C:\Temp\17O7
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\WINNT\system32\drivers\core.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Owner
C:\qoobox\purity\C\DOCUME~1\Owner\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Owner\MYDOCU~1\YSTEM~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-16 10:38 <DIR> d-------- C:\Avenger
2007-05-10 23:11 <DIR> d-------- C:\Program Files\iTunes
2007-05-10 23:11 <DIR> d-------- C:\Program Files\iPod
2007-05-10 23:07 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-10 16:46 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-05-10 13:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-10 13:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-10 13:43 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-05-09 20:39 163,840 --a------ C:\WINNT\system32\igfxres.dll
2007-05-09 20:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-05-09 20:29 <DIR> d-------- C:\WINNT\system32\LogFiles
2007-05-09 20:29 <DIR> d-------- C:\WINNT\system32\drivers\UMDF
2007-05-09 20:08 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Corel
2007-05-09 19:43 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-09 19:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-09 19:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-09 18:27 167 --a------ C:\WINNT\system32\9715.bat
2007-05-09 17:37 167 --a------ C:\DOCUME~1\Owner\5782.bat
2007-05-08 17:37 167 --a------ C:\DOCUME~1\Owner\3164.bat
2007-05-08 09:14 167 --a------ C:\DOCUME~1\Owner\1270.bat
2007-05-08 08:29 167 --a------ C:\DOCUME~1\Owner\9826.bat
2007-05-08 08:09 167 --a------ C:\DOCUME~1\Owner\3239.bat
2007-05-07 21:59 167 --a------ C:\DOCUME~1\Owner\4137.bat
2007-05-07 21:45 167 --a------ C:\DOCUME~1\Owner\3155.bat
2007-05-07 08:23 167 --a------ C:\DOCUME~1\Owner\1954.bat
2007-05-06 22:30 167 --a------ C:\DOCUME~1\Owner\9539.bat
2007-05-06 20:26 167 --a------ C:\DOCUME~1\Owner\3262.bat
2007-05-06 20:11 167 --a------ C:\DOCUME~1\Owner\3335.bat
2007-05-06 20:03 167 --a------ C:\DOCUME~1\Owner\6286.bat
2007-05-06 19:18 167 --a------ C:\DOCUME~1\Owner\3696.bat
2007-05-06 17:34 <DIR> d-------- C:\WINNT\fuqk
2007-05-06 17:34 <DIR> d-------- C:\Program Files\Common Files\fuqk
2007-05-06 17:04 <DIR> d--hs---- C:\WINNT\QmV2ZXJsZXkgQnVjaGFuYW4
2007-05-06 10:11 167 --a------ C:\DOCUME~1\Owner\7124.bat
2007-05-05 16:50 167 --a------ C:\DOCUME~1\Owner\6159.bat
2007-05-04 07:04 167 --a------ C:\DOCUME~1\Owner\2166.bat
2007-05-03 18:11 167 --a------ C:\DOCUME~1\Owner\6499.bat
2007-05-03 08:25 167 --a------ C:\DOCUME~1\Owner\9266.bat
2007-05-02 08:56 167 --a------ C:\DOCUME~1\Owner\9392.bat
2007-05-01 09:27 167 --a------ C:\DOCUME~1\Owner\3614.bat
2007-04-30 22:02 8,464 --a------ C:\WINNT\system32\sporder.dll
2007-04-30 22:02 167 --a------ C:\WINNT\system32\7469.bat
2007-04-30 22:01 32,768 --a------ C:\WINNT\system32\setup9x.exe
2007-04-30 22:01 109,360 --a------ C:\WINNT\system32\app.exe
2007-04-30 22:01 0 --a------ C:\WINNT\system32\taskkill.exe
2007-04-30 22:01 <DIR> d-------- C:\WINNT\system32\SBO
2007-04-30 22:00 147,456 --a------ C:\WINNT\system32\vbzip10.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-16 21:43:19 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-16 18:28:30 -------- d-----w C:\Program Files\QuickTime
2007-05-16 18:26:23 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-16 18:22:49 -------- d-----w C:\Program Files\Messenger
2007-05-11 00:21:14 -------- d-----w C:\Program Files\LimeWire
2007-05-10 23:54:06 -------- d-----w C:\Program Files\Winamp
2007-05-10 03:38:27 -------- d-----w C:\Program Files\Google
2007-05-10 03:17:15 -------- d-----w C:\Program Files\SIFXINST
2007-05-10 03:15:58 -------- d-----w C:\Program Files\Gateway
2007-05-10 03:15:56 -------- d-----w C:\Program Files\PC-Doctor for Windows
2007-05-10 03:15:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-10 02:48:42 -------- d-----w C:\Program Files\WildTangent
2007-05-10 02:45:53 -------- d-----w C:\Program Files\NoAdware4
2007-05-10 01:40:05 -------- d-----w C:\Program Files\Symantec
2007-04-21 05:45:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Keyhole
2007-03-17 13:43:01 292,864 ----a-w C:\WINNT\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINNT\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINNT\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINNT\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINNT\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINNT\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-01-05 13:30]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}=C:\Program Files\Microsoft Money\System\mnyside.dll [2002-07-17 09:00]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 00:09]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-07 12:34]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-07-31 19:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe" [2006-01-19 11:06]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11:06]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-01-23 11:36]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 04:00]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-01-23 11:31]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 12:50 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [2002-08-06 13:24]
"GWMDMMSG"="GWMDMMSG.exe" []
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-04-17 14:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=dword:00000002
"cmdService"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*newlycreated* -NMSSVC

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070516-104453-942
O4 - HKCU\..\Run: [Gszcf] "C:\Documents and Settings\Owner\My Documents\?ystem\n?tepad.exe"
backup-20070516-104453-911
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
backup-20070516-104453-795
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
backup-20070516-104453-190
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Owner\MYDOCU~1\ECURIT~1\ping.exe" -vt yazb

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\ISP signup reminder 1.job
C:\WINNT\tasks\ISP signup reminder 2.job
C:\WINNT\tasks\ISP signup reminder 3.job
C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
C:\WINNT\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 14:41:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-16 14:49:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-16 14:49


--- E O F ---
Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-16 at 14:53:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-16 21:53:09 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:54:31 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\FtrakSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Owner\Desktop\vp\dss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\Desktop\vp\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FLiCA.Net - {D511EC27-CA32-4EB8-87E3-EEB5CAD42DFE} - http://www.FLiCA.Net (file missing) (HKCU)
O9 - Extra button: Flightline - {D895091A-C075-4130-B2EC-9B2C1F3112AF} - http://www.flightline.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://delta.flightline.com
O16 - DPF: eCrew Delta Technology V14240 - http://ecrew.delta-air.com/eCrew14240.cab
O16 - DPF: eCrew Delta Technology V14251 - http://ecrew.delta-air.com/eCrew14251.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/...l/MFImgVwr.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\Desktop\vp\backups\) ------------

backup-20070516-104453-190 O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Owner\MYDOCU~1\ECURIT~1\ping.exe" -vt yazb
backup-20070516-104453-795 O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
backup-20070516-104453-911 O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
backup-20070516-104453-942 O4 - HKCU\..\Run: [Gszcf] "C:\Documents and Settings\Owner\My Documents\?ystem\n?tepad.exe"

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Cdr4_xp - c:\winnt\system32\drivers\cdr4_xp.sys <Not Verified; Roxio; DirectCD>
R1 Cdralw2k - c:\winnt\system32\drivers\cdralw2k.sys <Not Verified; Roxio; DirectCD>
R1 cdudf_xp - c:\winnt\system32\drivers\cdudf_xp.sys <Not Verified; Roxio; DirectCD>
R1 pwd_2k - c:\winnt\system32\drivers\pwd_2k.sys <Not Verified; Roxio; DirectCD>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 UdfReadr_xp - c:\winnt\system32\drivers\udfreadr_xp.sys <Not Verified; Roxio; DirectCD>
R2 MCSTRM - c:\winnt\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\winnt\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
R3 mmc_2K - c:\winnt\system32\drivers\mmc_2k.sys <Not Verified; Roxio; DirectCD>

S2 IPSECEXT (Nortel Extranet Access Protocol) - c:\winnt\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
S3 ATWPKT2 - c:\progra~1\americ~1.0\atwpkt2.sys (file missing)
S3 dvd_2K - c:\winnt\system32\drivers\dvd_2k.sys <Not Verified; Roxio; DirectCD>
S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 NMSSvc (Intel(R) NMS) - c:\winnt\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>


-- Scheduled Tasks -------------------------------------------------------------

2007-05-16 14:52:00 366 --a------ C:\WINNT\Tasks\Symantec NetDetect.job
2007-05-13 09:02:35 464 --a------ C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job
2007-05-10 23:07:46 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job
2003-04-19 10:30:00 254 --a------ C:\WINNT\Tasks\ISP signup reminder 1.job
2003-04-17 12:56:54 254 --a------ C:\WINNT\Tasks\ISP signup reminder 3.job
2003-04-17 12:56:54 254 --a------ C:\WINNT\Tasks\ISP signup reminder 2.job


-- Files created between 2007-04-16 and 2007-05-16 -----------------------------

2007-05-16 10:38:54 0 d-------- C:\Avenger
2007-05-10 23:11:22 0 d-------- C:\Program Files\iPod
2007-05-10 23:11:10 0 d-------- C:\Program Files\iTunes
2007-05-10 23:07:42 0 d-------- C:\Program Files\Apple Software Update
2007-05-10 16:46:07 0 d-------- C:\WINNT\system32\ActiveScan
2007-05-10 13:44:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-05-10 13:43:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-05-10 13:43:42 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-05-09 20:32:22 0 d-------- C:\Program Files\Windows Media Connect 2
2007-05-09 20:29:34 0 d-------- C:\WINNT\system32\LogFiles
2007-05-09 20:29:34 0 d-------- C:\WINNT\system32\drivers\UMDF
2007-05-09 20:08:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2007-05-09 19:43:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-05-09 19:18:35 0 d-------- C:\Program Files\Lavasoft
2007-05-09 19:16:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-09 18:27:31 167 --a------ C:\WINNT\system32\9715.bat
2007-05-09 17:37:59 167 --a------ C:\Documents and Settings\Owner\5782.bat
2007-05-08 17:37:03 167 --a------ C:\Documents and Settings\Owner\3164.bat
2007-05-08 09:14:01 167 --a------ C:\Documents and Settings\Owner\1270.bat
2007-05-08 08:29:40 167 --a------ C:\Documents and Settings\Owner\9826.bat
2007-05-08 08:09:28 167 --a------ C:\Documents and Settings\Owner\3239.bat
2007-05-07 21:59:56 167 --a------ C:\Documents and Settings\Owner\4137.bat
2007-05-07 21:45:37 167 --a------ C:\Documents and Settings\Owner\3155.bat
2007-05-07 08:23:18 167 --a------ C:\Documents and Settings\Owner\1954.bat
2007-05-06 22:30:58 167 --a------ C:\Documents and Settings\Owner\9539.bat
2007-05-06 20:26:38 167 --a------ C:\Documents and Settings\Owner\3262.bat
2007-05-06 20:11:12 167 --a------ C:\Documents and Settings\Owner\3335.bat
2007-05-06 20:03:11 167 --a------ C:\Documents and Settings\Owner\6286.bat
2007-05-06 19:18:25 167 --a------ C:\Documents and Settings\Owner\3696.bat
2007-05-06 17:34:23 0 d-------- C:\Program Files\Common Files\fuqk
2007-05-06 17:34:22 0 d-------- C:\WINNT\fuqk
2007-05-06 17:04:02 0 d--hs---- C:\WINNT\QmV2ZXJsZXkgQnVjaGFuYW4
2007-05-06 10:11:15 167 --a------ C:\Documents and Settings\Owner\7124.bat
2007-05-05 16:50:54 167 --a------ C:\Documents and Settings\Owner\6159.bat
2007-05-04 07:04:53 167 --a------ C:\Documents and Settings\Owner\2166.bat
2007-05-03 18:11:42 167 --a------ C:\Documents and Settings\Owner\6499.bat
2007-05-03 08:25:18 167 --a------ C:\Documents and Settings\Owner\9266.bat
2007-05-02 08:56:52 167 --a------ C:\Documents and Settings\Owner\9392.bat
2007-05-01 09:27:13 167 --a------ C:\Documents and Settings\Owner\3614.bat
2007-04-30 22:02:17 167 --a------ C:\WINNT\system32\7469.bat
2007-04-30 22:02:10 8464 --a------ C:\WINNT\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2007-04-30 22:01:43 0 d-------- C:\WINNT\system32\SBO
2007-04-30 22:01:41 109360 --a------ C:\WINNT\system32\app.exe
2007-04-30 22:01:34 32768 --a------ C:\WINNT\system32\setup9x.exe <Not Verified; w00t; hjjju56>
2007-04-30 22:01:30 0 --a------ C:\WINNT\system32\taskkill.exe
2007-04-30 22:00:01 147456 --a------ C:\WINNT\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>


-- Find3M Report ---------------------------------------------------------------

2007-05-16 14:43:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-16 11:28:30 0 d-------- C:\Program Files\QuickTime
2007-05-16 11:26:23 0 d-------- C:\Program Files\Norton AntiVirus
2007-05-16 11:22:49 0 d-------- C:\Program Files\Messenger
2007-05-10 17:21:14 0 d-------- C:\Program Files\LimeWire
2007-05-10 17:15:00 22 --a------ C:\Program Files\c.zip
2007-05-10 17:14:58 22 --a------ C:\Program Files\b.zip
2007-05-10 17:14:08 22 --a------ C:\Program Files\a.zip
2007-05-10 16:54:06 0 d-------- C:\Program Files\Winamp
2007-05-10 15:17:15 25214 --a------ C:\Program Files\A.ico
2007-05-10 15:17:13 25214 --a------ C:\Program Files\B.ico
2007-05-09 20:38:27 0 d-------- C:\Program Files\Google
2007-05-09 20:17:15 0 d-------- C:\Program Files\SIFXINST
2007-05-09 20:16:29 20421 --a------ C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
2007-05-09 20:15:58 0 d-------- C:\Program Files\Gateway
2007-05-09 20:15:56 0 d-------- C:\Program Files\PC-Doctor for Windows
2007-05-09 20:15:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-09 19:48:42 0 d-------- C:\Program Files\WildTangent
2007-05-09 19:45:53 0 d-------- C:\Program Files\NoAdware4
2007-05-09 18:40:05 0 d-------- C:\Program Files\Symantec
2007-05-08 13:14:01 4 --a------ C:\WINNT\system32\0568C6
2007-04-20 22:45:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Keyhole


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{243B17DE-77C7-46BF-B94B-0B5F309A0E64} C:\Program Files\Microsoft Money\System\mnyside.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"GWMDMpi"="C:\\WINNT\\GWMDMpi.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
@="C:\\WINNT\\\\BBStore\\DSS\\dssagent.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealOneMessageCenter"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\RealOneMessageCenter.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=dword:00000002
"cmdService"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NMSSVC


-- End of Deckard's System Scanner: finished at 2007-05-16 at 14:55:25 ---------
Attached Files
File Type: txt extra.txt (11.9 KB, 1 views)
saylahv is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-17-2007, 01:15 AM   #6 (permalink)
Analyst, Security Team
 
dorts's Avatar
 
Join Date: Mar 2006
Location: Singapore
Posts: 1,603
OS: Windows XP SP2

My System

Re: Quick Help Needed!
Hello and welcome to TSF


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. Please stay with me until your system has been declared clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.



Downloads and others

Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1


Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.


Safe Mode
  • Restart your computer.
  • Before the Windows logo appear, tap F8 repeatedly. In some systems, this may be the F5 key.
  • A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
  • This will take a while than usual, so just wait.
  • After it loads, Login on your usual account.

Uninstall

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):
  • Java 2 Runtime Environment, SE v1.4.1_01
  • Java 2 Runtime Environment, SE v1.4.0_03
  • J2SE Runtime Environment 5.0 Update 3
  • J2SE Runtime Environment 5.0 Update 6
  • Viewpoint Media Player

    DO NOT uninstall J2SE Runtime Environment 5.0 Update 10

ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


AVG Anti-Spyware

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).



You may now reboot back to normal mode




Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Logs

Please post the following logs in your next reply...
  • AVG Anti-Spyware's Log
  • Panda’s Online Scan Log
  • A Fresh New DSS Log.

How is the system running now?
__________________




If you think TSF have helped you, please kindly donate to TSF and help keep this site free to all.
dorts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-17-2007, 11:34 AM   #7 (permalink)
Registered User
 
Join Date: Aug 2006
Posts: 17
OS: WinXP


Re: Quick Help Needed!
ooohhhKayyyy... I did all you said... The only tiny blip was that the Java Updates wouldn't uninstall in Safe mode... but I u.i.'d them in Normal mode... rebooted in safe mode... well you get the picture...
Here are the 3 Logs::: (have to return this machine today... but it seeeeems to move a bit faster)
No extra.txt during DSS this time...
You Rock!
--say
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:01:41 AM 5/17/2007

+ Scan result:



C:\Program Files\Netscape\Netscape\Plugins\npclntax.dll -> Adware.Zango : Cleaned.
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\win67.exe.vir -> Adware.ZQuest : Cleaned.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070509.019\0001NAV~.TMP -> Downloader.TSUpdate.l : Cleaned.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070516.017\0001NAV~.TMP -> Downloader.TSUpdate.l : Cleaned.
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.


::Report end


Incident Status Location

Adware:adware/comet Not disinfected c:\winnt\downloaded program files\dm.inf
Adware:adware/wupd Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Spyware:spyware/betterinet Not disinfected Windows Registry
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\vp\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\nircmd.exe

Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-17 at 11:30:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:30:25 AM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\FtrakSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\vp\dss.exe
C:\DOCUME~1\Owner\Desktop\vp\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fylh19of.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-