Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
I think i have a worm I think i have a worm
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 08-20-2007, 03:56 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 10
OS: XP


I think i have a worm
Whenever i turn on my computer my desktop gets flooded with Symantec Scanning Message boxes and iget an occasional "message can not be sent to blahblah@blah.com" Here is my hijack this scan results. Much thanks in advance for any help


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA02D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10374 bytes
OneBadMalafaala is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 08-21-2007, 06:19 AM   #2 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 10
OS: XP


Re: I think i have a worm
Bump

I would appreciate any help please
OneBadMalafaala is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 08-21-2007, 06:25 AM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,747
OS: WinXP and Vista


Re: I think i have a worm
Hello OneBadMalafaala and welcome,

Please follow the instructions in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log and post the requested logs in your next reply.


**Please note this section of the forum is very busy, so please familiarize yourself with the bumping rules found in Step 5 of our sticky topic mentioned above. One of our Analysts will review your log as soon as possible.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 08-23-2007, 09:40 PM   #4 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 10
OS: XP


Re: I think i have a worm
MAIN TEXT:


Deckard's System Scanner v20070819.64
Run by Compaq_Owner on 2007-08-23 18:41:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2007-08-23 22:41:12 UTC - RP874 - Deckard's System Scanner Restore Point
6: 2007-08-23 02:12:08 UTC - RP873 - System Checkpoint
5: 2007-08-21 22:50:02 UTC - RP872 - System Checkpoint
4: 2007-08-20 21:38:39 UTC - RP871 - Restore Operation
3: 2007-08-20 15:36:46 UTC - RP870 - System Checkpoint


-- First Restore Point --
1: 2007-08-18 12:46:43 UTC - RP868 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-23 18:45:10
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SM1bg.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKEY_LOCAL_MACHINE\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKEY_LOCAL_MACHINE\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [VTTimer] VTTimer.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKEY_LOCAL_MACHINE\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.drivecleaner.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.errorprotector.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.errorsafe.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.imageservr.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.imagesrvr.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.systemdoctor.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.winantispyware.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.winantivirus.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.winfixer.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: *.amaena.com (HKCU)
O15 - Trusted Zone: *.drivecleaner.com (HKCU)
O15 - Trusted Zone: *.errorprotector.com (HKCU)
O15 - Trusted Zone: *.errorsafe.com (HKCU)
O15 - Trusted Zone: *.imageservr.com (HKCU)
O15 - Trusted Zone: *.imagesrvr.com (HKCU)
O15 - Trusted Zone: *.systemdoctor.com (HKCU)
O15 - Trusted Zone: *.winantispyware.com (HKCU)
O15 - Trusted Zone: *.winantivirus.com (HKCU)
O15 - Trusted Zone: *.winfixer.com (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - "C:\Program Files\Common Files\MSJB NA02D Shared\Service\Software Jukebox v2.0 Service File.exe"


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R2 HPFECP20 - c:\windows\system32\drivers\hpfecp20.sys
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 CamAv (SAMSUNG Video Capture) - c:\windows\system32\drivers\camav.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
S3 CAMFLT (%CAMFLT.SvcDesc%) - c:\windows\system32\drivers\camflt.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys (file missing)
S3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys (file missing)
S3 smserial - c:\windows\system32\drivers\smserial.sys (file missing)
S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Software Jukebox v2.0 Service - "c:\program files\common files\msjb na02d shared\service\software jukebox v2.0 service file.exe"


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP20\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP20\0000
Service: HPFECP20


-- Scheduled Tasks -------------------------------------------------------------

2007-08-22 23:36:40 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-08-17 21:13:35 544 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job


-- Files created between 2007-07-23 and 2007-08-23 -----------------------------

2007-08-22 00:00:52 0 d-------- C:\ie-spyad_zo
2007-08-21 23:56:51 0 d-------- C:\Program Files\SpywareBlaster
2007-08-21 22:51:15 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-20 17:49:23 0 d-------- C:\Program Files\InterMute
2007-08-18 00:34:29 0 d-------- C:\Documents and Settings\Compaq_Owner\R & B
2007-08-16 03:04:01 0 d-------- C:\Program Files\MSXML 6.0
2007-08-13 20:32:18 0 d-------- C:\Mp3 Output
2007-08-13 20:32:16 4762112 --a------ C:\WINDOWS\system32\NCMedia.dll
2007-08-13 20:32:16 383238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-08-13 20:32:16 0 d-------- C:\Program Files\Smallvideosoft
2007-08-12 16:16:35 0 d-------- C:\Documents and Settings\Compaq_Owner\XBOX LIBRARY
2007-08-12 15:43:51 0 dr------- C:\Documents and Settings\All Users\My Music
2007-08-11 16:36:05 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2007-08-11 16:31:17 0 d-------- C:\Program Files\DIFX
2007-08-11 16:31:15 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-08-11 16:31:08 0 d-------- C:\Program Files\Common Files\ComponentOne
2007-08-11 16:30:56 0 d-------- C:\Program Files\Zune
2007-08-11 16:03:23 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-11 16:01:58 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-11 16:01:58 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-11 16:00:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-08-11 14:48:39 0 d-------- C:\Netgear
2007-08-04 15:19:43 40183 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2007-08-03 21:21:00 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-03 21:07:17 0 d-------- C:\Program Files\Blaze Media Pro
2007-08-03 2145 0 d-------- C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-07-30 21:13:41 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ipswitch
2007-07-30 21:13:33 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-07-30 21:13:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2007-07-30 21:13:32 0 d-------- C:\Program Files\Ipswitch
2007-07-30 21:13:09 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\InstallShield
2007-07-29 18:03:18 0 d-------- C:\Documents and Settings\Compaq_Owner\dwhelper


-- Find3M Report ---------------------------------------------------------------

2007-08-23 18:42:40 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-23 18:35:59 0 d-------- C:\Program Files\Common Files
2007-08-23 01:02:38 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\U3
2007-08-21 23:32:51 0 d-------- C:\Program Files\Winamp
2007-08-21 23:30:09 0 d-------- C:\Program Files\QuickTime
2007-08-21 23:28:41 0 d-------- C:\Program Files\Norton Personal Firewall
2007-08-21 23:28:39 0 d-------- C:\Program Files\Norton AntiVirus
2007-08-18 01:05:52 0 d-------- C:\Program Files\Soulseek
2007-08-12 16:12:37 5632 --ahs---- C:\Program Files\Thumbs.db
2007-08-12 16:02:18 0 d-------- C:\Program Files\SpongeBob SquarePants Obstacle Odyssey
2007-08-05 08:37:36 0 d-------- C:\Program Files\ISM
2007-07-30 21:13:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-20 17:36:42 0 d-------- C:\Program Files\WaterWolves.com
2007-07-20 17:36:41 13623317 --a------ C:\WINDOWS\system32\WaterWolves Slideshow 2007.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer>
2007-07-16 16:18:13 36352 --a------ C:\WINDOWS\poolsv.exe <Not Verified; Poolsv; Poolsv>
2007-07-16 11:24:14 0 d-------- C:\Program Files\Danny Phantom Ghost Sweep
2007-06-29 11:32:10 146944 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2007-06-28 11:46:47 10620 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-06-14 13:30:42 366 --a------ C:\WINDOWS\PowerReg.dat
2007-06-03 22:04:02 53 --a------ C:\WINDOWS\popcinfo.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [10/20/2004 09:39 AM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 11:02 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [04/17/2004 10:41 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/16/2004 07:03 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 11:43 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/21/2004 01:55 AM]
"VTTimer"="VTTimer.exe" []
"SiSPower"="SiSPower.dll" [09/24/2004 12:49 PM C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/23/2005 03:34 PM]
"AGRSMMSG"="AGRSMMSG.exe" [03/04/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [09/12/2003 11:13 PM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/15/2004 12:54 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [03/24/2005 07:05 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"Ulead Quick-Drop"="C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 11:01 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/20/2004 10:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 06:22 PM]
"poolsv"="C:\WINDOWS\poolsv.exe" [07/16/2007 04:18 PM]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [03/14/2007 05:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 07:23 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [05/29/2007 09:34 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [10/21/2004 2:01:35 AM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e64e2f6-3efc-11dc-9f54-0011d81b391d}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2007-08-23 18:47:12 ------------
Attached Files
File Type: txt extra.txt (28.3 KB, 1 views)
OneBadMalafaala is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 08-23-2007, 09:42 PM   #5 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 10
OS: XP


Re: I think i have a worm
Sorry for not reading the instructions before my first post. I have done the 5 steps and have posted my info. The only step I had trouble with was the one where I had to DL the microsoft update. It said my current version was newer that the version I was trying to install. Thank you for your assistance.
OneBadMalafaala is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 08-23-2007, 09:44 PM   #6 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 10
OS: XP


Re: I think i have a worm
Oops I forgot to post my Panda log



Incident Status Location

Adware:Adware/WinAntiSpyware Not disinfected c:\windows\poolsv.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UWA7P_0001_N91M0809NetInstaller.exe
Adware:adware/outerinfo Not disinfected Windows Registry
Adware:Adware/Yazzle Not disinfected C:\1053.tmp[¦++\Yazzle1552OinAdmin.exe]
Virus:Trj/Downloader.MDW Not disinfected C:\1055.tmp[BndDrive.dll]
Virus:Generic Trojan Disinfected C:\1058.tmp
Adware:Adware/Yazzle Not disinfected C:\3D3.tmp[¦++\Yazzle1552OinAdmin.exe]
Virus:Trj/Downloader.MDW Not disinfected C:\3D5.tmp[BndDrive.dll]
Adware:Adware/Yazzle Not disinfected C:\B09.tmp[¦++\Yazzle1552OinAdmin.exe]
Virus:Trj/Downloader.MDW Not disinfected C:\B0A.tmp[BndDrive.dll]
Virus:Generic Trojan Disinfected C:\B0E.tmp
Virus:Trj/Ldpinch.WE Disinfected C:\DF.tmp
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.go.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.atwola.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.zedo.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.zedo.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[drivecleaner.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[winantivirus.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[www.errorsafe.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.adtech.de/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.com.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.enhance.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\if24wqyv.Default User\cookies.txt[.yadro.ru/]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f00108-274122e0.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f00109-1626d63b.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-4514e5ea-7e8b26c5.zip[javainstaller/InstallerApplet.class]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@go[2].txt
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\ICD1.tmp\UWA7P_0001_N91M0809NetInstaller.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\ICD1.tmp\UWA7P_0001_N91M0809NetInstaller.inf
Virus:Trj/Clicker.WM Disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\poolsv.exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~nsu.tmp\Au_.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
OneBadMalafaala is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 08-23-2007, 09:53 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,747
OS: WinXP and Vista


Re: I think i have a worm
Hi,

We'll begin with combofix. While your symptoms may improve quite a bit after running this tool, there will be more work to do to finish cleaning the system.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 08-23-2007, 10:19 PM   #8 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 10
OS: XP


Re: I think i have a worm
ComboFix 07-08-24.4 - "Compaq_Owner" 2007-08-24 0:12:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.177 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\COMPAQ~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\C2U2RT7R\www.broadcaster.com
C:\DOCUME~1\COMPAQ~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\WINDOWS\poolsv.exe
D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))


2007-08-24 00:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 18:40 <DIR> d-------- C:\Deckard
2007-08-22 00:00 <DIR> d-------- C:\ie-spyad_zo
2007-08-21 23:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-21 22:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-20 17:49 <DIR> d-------- C:\Program Files\InterMute
2007-08-18 00:34 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\R & B
2007-08-16 03:04 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-13 20:32 4,762,112 --a------ C:\WINDOWS\system32\NCMedia.dll
2007-08-13 20:32 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-08-13 20:32 <DIR> d-------- C:\Program Files\Smallvideosoft
2007-08-13 20:32 <DIR> d-------- C:\Mp3 Output
2007-08-12 16:16 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\XBOX LIBRARY
2007-08-12 15:43 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\My Music
2007-08-11 16:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-11 16:31 <DIR> d-------- C:\Program Files\DIFX
2007-08-11 16:31 <DIR> d-------- C:\Program Files\Common Files\ComponentOne
2007-08-11 16:30 <DIR> d-------- C:\Program Files\Zune
2007-08-11 16:03 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-11 16:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-11 16:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-11 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-11 14:48 <DIR> d-------- C:\Netgear
2007-08-03 21:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-03 21:07 <DIR> d-------- C:\Program Files\Blaze Media Pro
2007-08-03 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-07-30 21:13 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-07-30 21:13 <DIR> d-------- C:\Program Files\Ipswitch
2007-07-30 21:13 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Ipswitch
2007-07-30 21:13 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\InstallShield
2007-07-30 21:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ipswitch
2007-07-29 18:03 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\dwhelper


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 18:42 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-23 01:02 --------- d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\U3
2007-08-23 01:02 --------- d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\U3
2007-08-21 23:32 --------- d-------- C:\Program Files\Winamp
2007-08-21 23:30 --------- d-------- C:\Program Files\QuickTime
2007-08-21 23:28 --------- d-------- C:\Program Files\Norton Personal Firewall
2007-08-21 23:28 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-19 16:02 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-18 01:05 --------- d-------- C:\Program Files\Soulseek
2007-08-12 16:12 5632 --ahs---- C:\Program Files\Thumbs.db
2007-08-12 16:02 --------- d-------- C:\Program Files\SpongeBob SquarePants Obstacle Odyssey
2007-07-30 21:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-20 17:36 13623317 --a------ C:\WINDOWS\system32\WaterWolves Slideshow 2007.scr
2007-07-20 17:36 --------- d-------- C:\Program Files\WaterWolves.com
2007-07-16 11:24 --------- d-------- C:\Program Files\Danny Phantom Ghost Sweep
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-01-08 12:17 774144 --a------ C:\Program Files\RngInterstitial.dll
2003-08-27 14:19 36963 -ra------ C:\Program Files\Common Files\SM1updtr.dll
1998-08-24 12:09 10000 --a------ C:\WINDOWS\inf\unregpn.exe
2005-04-17 20:48:17 56 --sh--r C:\WINDOWS\system32\B1AB55B27A.sys
2006-04-08 23:12:48 13,146 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-10-20 09:39]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 22:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 07:03]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 01:55]
"VTTimer"="VTTime