Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Slow computer, processes using 100% CPU
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-16-2006, 03:58 AM   #1 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


Slow computer, processes using 100% CPU
My computer runs slowly, taking a while to turn on or off, and it lags when I do almost anything....

I also usually get a process that uses 100% CPU, which i have to end, and it only comes back when I startup again.

Here is my HJT log after completing the 5 steps:

Logfile of HijackThis v1.99.1
Scan saved at 7:54:16 PM, on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\System32\Starter.Exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\EasyMP3\EasyRen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\WINNT\svdsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.connect.com.au:8080
O1 - Hosts: .com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - (no file)
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\Yetisports\IEButtonYetiSportsEBayInterface.dll (file missing)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Gamgen\WINXP~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar1.dll
O2 - BHO: Gram curb - {E2313982-8832-475E-806B-98361C9A40DB} - C:\PROGRA~1\holdpoll\Acid Pop.dll (file missing)
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: HeckCompView - {25773B95-6429-6F8E-DCDB-BE60C7201A0F} - C:\PROGRA~1\holdpoll\Acid Pop.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\System32\Starter.Exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EasyMP3 Track Rename] EasyRen.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [svdsrv] C:\WINNT\svdsrv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Gamgen\WIN XP\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Firefly] "C:\Program Files\Firefly\Firefly.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - HKCU\..\Run: [Cahc] "C:\Program Files\rtel\erha.exe" -vt yazr
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Gamgen\WIN XP\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Gamgen\WINXP~1\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Startup: Aqua Dock.lnk = C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - Startup: MSNP13 Downgrader.lnk = ?
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Hope you can help me. Thanks in advance.
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-16-2006, 01:05 PM   #2 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Hello and welcome to TSF!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-16-2006, 11:51 PM   #3 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Hello junaman,

Do you have any knowledge of Openware's LiveUpdate? Is it perhaps part of an application you have installed? Please let me know in your next reply.


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Unhide Files
Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.


Download CleanUp!
Download and install CleanUp! but do not run it yet.

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If your not sure if you are running the 64-bit version of Windows then you probably aren't; however, you can check by downloading (using IE) and then running the whichcpu tool.


Download Ewido
Please download, install, and update Ewido Anti-Spyware.
  1. Load Ewido and then click the Shield tab at the top
    • Click on the word active to change it to inactive.
  2. Click the Update tab at the top:
    • Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
    • Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
  3. Click the Scanner tab at the top and then the Settings sub-tab:
    • Under How to act?, click Recommended actions and select Quarantine.
    • Under Reports, select Automatically generate report after every scan
  4. Close Ewido. Do not run a scan with it yet.

Download NoLOP
  • Please download NoLop to your desktop from one of the following links:
    1. SpywareEdge (US)
    2. Spyware Times (Qatar)
    3. The Spykiller (UK)
  • First close any other programs you have running as this will require a reboot.
  • Double click NoLop.exe to run it.
    • Carefully type or copy and paste this series of characters into the lower text area labelled Insert CLSID Here.
      Include the {}:
      {E2313982-8832-475E-806B-98361C9A40DB}
  • Now click the button labelled "Search and Destroy".
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, click OK.
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish. Please Post the contents of C:\NoLop.log with your next reply.
If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.


Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):
AutoUpdate
EQBranch
Messenger Plus! 3 -- This program is known to install the malware that you have, a LOP infection. If the program is a must have, reinstall it and decline when asked to install the sponsor's software. Also ignore the fixes for it below if you decide to reinstall it.
PurityScan by OIN
Snowball Wars by OIN
Yazzle by OIN
...or any programs by OIN
In case PurityScan or OINs are not listed, please download and use this uninstaller.


Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O1 - Hosts: .com
O4 - HKLM\..\Run: [svdsrv] C:\WINNT\svdsrv.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - HKCU\..\Run: [Cahc] "C:\Program Files\rtel\erha.exe" -vt yazr
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
Please remember to close all other windows, including browsers then click Fix checked.


Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Program Files\AutoUpdate
C:\Program Files\EQBranch
C:\Program Files\Messenger Plus! 3
C:\Program Files\rtel
C:\WINNT\svdsrv.exe
winjks32.dll <-- find via Start > Search. Probably in C:\WINNT\System32

Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
  • Click "Options..."
  • Move the arrow down to "Custom CleanUp!"
  • Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • Cleanup! All Users
    • Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
    Click OK.
  • Press the CleanUp! button to start the program.
Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.


Run Ewido
  • Run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop).
  • Close Ewido.

Reboot
Reboot your system to Normal Mode.


Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan.
  1. Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker.
  2. Enter your e-mail address, country, and state and click Scan Now.
  3. Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control.
  4. Begin the scan by selecting My Computer. Note:
    • Please turn off the real time scanner of any existing antivirus program while performing the online scan.
    • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
    • Click on See report then click Save report.
    • It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report.

With Your Next Post...
Please paste the following with your next reply (in this order please):
  1. C:\NoLop.log,
  2. Ewido Scan report,
  3. Panda Scan report, and
  4. a new HiJackThis log taken after the Panda scan finishes.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-17-2006, 06:22 AM   #4 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


There's a LiveUpdate that comes with Norton Antivirus, but other than that i'm unaware of anything by with this name.
Also I've noticed that in the Program Files and My Documents folders, there are several folders that have duplicated, with empty copies.

Here are the logs:


NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Moscow\Desktop
[17/07/2006]
[5:59:48 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator.moscow-zq1ujk6a\Application Data\Microsoft
C:\Documents and Settings\Administrator.moscow-zq1ujk6a.000\Application Data\Microsoft
C:\Documents and Settings\Administrator.moscow-zq1ujk6a.001\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Acd Systems
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Arcsoft
C:\Documents and Settings\All Users\Application Data\Gamehouse
C:\Documents and Settings\All Users\Application Data\Macromedia
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Skype -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Moscow\Application Data\.bittorrent
C:\Documents and Settings\Moscow\Application Data\Acd Systems
C:\Documents and Settings\Moscow\Application Data\Adobe
C:\Documents and Settings\Moscow\Application Data\Adobeum
C:\Documents and Settings\Moscow\Application Data\Alien Skin
C:\Documents and Settings\Moscow\Application Data\Apple Computer
C:\Documents and Settings\Moscow\Application Data\Arcsoft
C:\Documents and Settings\Moscow\Application Data\Azureus
C:\Documents and Settings\Moscow\Application Data\A?sembly
C:\Documents and Settings\Moscow\Application Data\A?ppatch
C:\Documents and Settings\Moscow\Application Data\Executivesoftware
C:\Documents and Settings\Moscow\Application Data\F?nts
C:\Documents and Settings\Moscow\Application Data\F?nts
C:\Documents and Settings\Moscow\Application Data\Google
C:\Documents and Settings\Moscow\Application Data\Help
C:\Documents and Settings\Moscow\Application Data\Holdpoll -- EMPTY Directory
C:\Documents and Settings\Moscow\Application Data\Ibm Sash -- EMPTY Directory
C:\Documents and Settings\Moscow\Application Data\Icqlite
C:\Documents and Settings\Moscow\Application Data\Identities
C:\Documents and Settings\Moscow\Application Data\Lavasoft
C:\Documents and Settings\Moscow\Application Data\Leadertech
C:\Documents and Settings\Moscow\Application Data\Lycos
C:\Documents and Settings\Moscow\Application Data\Macromedia
C:\Documents and Settings\Moscow\Application Data\Media Player Classic
C:\Documents and Settings\Moscow\Application Data\Microsoft
C:\Documents and Settings\Moscow\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Moscow\Application Data\Mozilla
C:\Documents and Settings\Moscow\Application Data\Msn6
C:\Documents and Settings\Moscow\Application Data\My Games
C:\Documents and Settings\Moscow\Application Data\M?crosoft
C:\Documents and Settings\Moscow\Application Data\M?crosoft.net
C:\Documents and Settings\Moscow\Application Data\Raptisoft
C:\Documents and Settings\Moscow\Application Data\Real
C:\Documents and Settings\Moscow\Application Data\Skype
C:\Documents and Settings\Moscow\Application Data\Smartdraw
C:\Documents and Settings\Moscow\Application Data\Sony
C:\Documents and Settings\Moscow\Application Data\Sun
C:\Documents and Settings\Moscow\Application Data\Symantec
C:\Documents and Settings\Moscow\Application Data\S?curity
C:\Documents and Settings\Moscow\Application Data\S?mantec
C:\Documents and Settings\Moscow\Application Data\S?mbols
C:\Documents and Settings\Moscow\Application Data\S?stem
C:\Documents and Settings\Moscow\Application Data\S?stem32
C:\Documents and Settings\Moscow\Application Data\Talkback
C:\Documents and Settings\Moscow\Application Data\Trend Micro
C:\Documents and Settings\Moscow\Application Data\T?sks
C:\Documents and Settings\Moscow\Application Data\Utorrent
C:\Documents and Settings\Moscow\Application Data\W?nsxs
C:\Documents and Settings\Moscow\Application Data\?dobe
C:\Documents and Settings\Moscow\Application Data\?pppatch
C:\Documents and Settings\Moscow\Application Data\??ppatch
C:\Documents and Settings\Moscow\Application Data\?icrosoft
C:\Documents and Settings\Moscow\Application Data\?icrosoft.net
C:\Documents and Settings\Moscow\Application Data\??crosoft
C:\Documents and Settings\Moscow\Application Data\??crosoft.net
C:\Documents and Settings\Moscow\Application Data\?racle
C:\Documents and Settings\Moscow\Application Data\?asks
C:\Documents and Settings\Moscow\Application Data\??sks
C:\Documents and Settings\Moscow\Application Data\?ecurity
C:\Documents and Settings\Moscow\Application Data\?ymantec
C:\Documents and Settings\Moscow\Application Data\?ymbols
C:\Documents and Settings\Moscow\Application Data\?ystem
C:\Documents and Settings\Moscow\Application Data\?ystem32
C:\Documents and Settings\Moscow\Application Data\??curity
C:\Documents and Settings\Moscow\Application Data\??mantec
C:\Documents and Settings\Moscow\Application Data\??mbols
C:\Documents and Settings\Moscow\Application Data\??stem
C:\Documents and Settings\Moscow\Application Data\??stem32
C:\Documents and Settings\Moscow\Application Data\?dobe
C:\Documents and Settings\Moscow\Application Data\?pppatch
C:\Documents and Settings\Moscow\Application Data\?ssembly
C:\Documents and Settings\Moscow\Application Data\??sembly
C:\Documents and Settings\Moscow\Application Data\??ppatch
C:\Documents and Settings\Moscow\Application Data\?icrosoft
C:\Documents and Settings\Moscow\Application Data\?icrosoft.net
C:\Documents and Settings\Moscow\Application Data\??crosoft
C:\Documents and Settings\Moscow\Application Data\??crosoft.net
C:\Documents and Settings\Moscow\Application Data\?racle
C:\Documents and Settings\Moscow\Application Data\?asks
C:\Documents and Settings\Moscow\Application Data\??sks
C:\Documents and Settings\Networkservice\Application Data\Microsoft


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:28:14 PM 17/07/2006

+ Scan result:



HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\WINNT\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\WINNT\NDNuninstall4_80.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
HKU\S-1-5-21-861567501-1715567821-682003330-1000\Software\DNS -> Adware.Shorty : Cleaned with backup (quarantined).
HKU\S-1-5-21-861567501-1715567821-682003330-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11A4CA8C-A8B9-49C2-A6D3-3F64C9EEBAE6} -> Adware.Shorty : Cleaned with backup (quarantined).
C:\Program Files\Surcode\crack\sccdprodts.exe -> Backdoor.Theef.111 : Cleaned with backup (quarantined).
HKU\S-1-5-21-861567501-1715567821-682003330-1000\Software\SCom -> Dialer.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Moscow\index.exe/vonner.exe -> Dropper.Agent.kd : Cleaned with backup (quarantined).


::Report end




Incident Status Location

Adware:adware/maxifiles Not disinfected c:\program files\common files\mc-58-12-0000080.exe
Adware:adware/shorty Not disinfected c:\program files\common files\services.exe
Adware:adware/comet Not disinfected c:\winnt\inf\dm.PNF
Spyware:spyware/betterinet Not disinfected c:\winnt\inf\satmat.inf
Adware:adware/wintools Not disinfected c:\sys.exe
Dialer:dialer.bny Not disinfected c:\winnt\pcconfig.dat
Adware:adware/twain-tech Not disinfected c:\winnt\satmat.ini
Adware:adware/elitebar Not disinfected C:\Documents and Settings\Moscow\Favorites\Casino & Carrers
Adware:adware/cws Not disinfected C:\Documents and Settings\Moscow\Favorites\Going Places
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Moscow\Application Data\Lycos
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry


Logfile of HijackThis v1.99.1
Scan saved at 10:22:21 PM, on 17/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\System32\Starter.Exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =

www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = proxy.connect.com.au:8080
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - (no file)
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} -

C:\PROGRA~1\Yetisports\IEButtonYetiSportsEBayInterface.dll (file missing)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\Gamgen\WINXP~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6}

- C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\winnt\downloaded program files\googletoolbar2.dll
O2 - BHO: Gram curb - {E2313982-8832-475E-806B-98361C9A40DB} -

C:\PROGRA~1\holdpoll\Acid Pop.dll (file missing)
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: HeckCompView - {25773B95-6429-6F8E-DCDB-BE60C7201A0F} -

C:\PROGRA~1\holdpoll\Acid Pop.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\winnt\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\System32\Starter.Exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program

Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program

Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe"

/minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash

/minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program

Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural

Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded

program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\downloaded

program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\downloaded

program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] -

{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber

Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ -

{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber

Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 -

{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber

Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class)

- http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)

- http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. -

C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -

C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-18-2006, 12:44 AM   #5 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Hi junaman,

We don't recommend using any sort of cracks or illegal software here. It looks like you have installed a cracked version of Surcode there and I suggest that you remove it.

I also see that you may have P2P software (i.e. Azureus, Bittorrent, Utorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Openwares LiveUpdate may have come with a program you downloaded. I recommend uninstalling it, but I will leave that decision up to you.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Please turn off Word Wrap in Notepad (under the Tools menu). It makes my job harder to read your logs when you have it turned on. Thanks.

Download CWShredder
Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


Download Brute Force Uninstaller
Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU).

Do not do anything with these yet!


Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):
O2 - BHO: Gram curb - {E2313982-8832-475E-806B-98361C9A40DB} - C:\PROGRA~1\holdpoll\Acid Pop.dll (file missing)
O3 - Toolbar: HeckCompView - {25773B95-6429-6F8E-DCDB-BE60C7201A0F} - C:\PROGRA~1\holdpoll\Acid Pop.dll (file missing)
Please remember to close all other windows, including browsers then click Fix checked.


Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Documents and Settings\Moscow\Application Data\Holdpoll
C:\Documents and Settings\Moscow\Application Data\Lycos
C:\Documents and Settings\Moscow\Favorites\Casino & Carrers
C:\Documents and Settings\Moscow\Favorites\Going Places
C:\Documents and Settings\Moscow\index.exe
C:\Program Files\holdpoll
c:\winnt\inf\dm.PNF
c:\winnt\inf\satmat.inf
c:\winnt\pcconfig.dat
c:\winnt\satmat.ini
c:\sys.exe

Run Brute Force Uninstaller
Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU).
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
  • Press Execute and let the program do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

Reboot
Reboot your system to Normal Mode.


Online Scan
Please do an online scan with the F-Secure Online Scanner. When you go to that link, they explain with images how to allow the ActiveX to start the scan, so make sure you read it.
  • Click the F-Secure Online Scanner Next Generation Beta link.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • Click the Full System Scan button. It will download scanner components and databases. Note that this can take a while.
  • The main scan will start after everything has downloaded.
  • Once the scan has finished, click the Automatic cleaning (recommended) button.
  • Your firewall may give an alert. Please allow it so that the scanner may submit infected files to F-Secure.
  • Cleaning may also take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.

Run This Script
Copy everything inside the quote box below (starting with dir) and paste it into Notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as listdir.bat on your Desktop.

Code:
dir "C:\Documents and Settings\Moscow\Application Data" /a h > listdir.txt
notepad listdir.txt
Locate listdir.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad with your next reply.


With Your Next Post...
Please paste the following with your next reply (in this order please):
  1. F-Secure scan report,
  2. The contents of listdir.txt, and
  3. a new HiJackThis log taken after the online scan finishes.
Also please let me know how your system is behaving now.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-20-2006, 01:44 AM   #6 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


Thanks for your help so far, and sorry for the delay in replying. My system is performing better and CPU usage seems to be fine... Start up is faster than before.

However, when i try to play a relatively small 3D game, i get a ridiculously low frame rate, and it seems to be taking up a lot of memory. Would that be because of my graphics card?

Here are the logs:

Scanning Report
Wednesday, July 19, 2006 21:41:39 - 23:52:31

Computer name: MOSCOW-ZQ1UJK6A
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ S:\
Result: 449 malware found
Backdoor.Win32.Rbot.gen (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6F2257E2.EXE (Renamed & Submitted)

Backdoor.Win32.SdBot.xt (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\15E72EDE.EXE (Renamed & Submitted)

Email-Worm.Win32.Bagle.as (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\001D6A81.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\00E472C7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\00F93DA1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\01604E07.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\01985CCB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\01F450A7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02952131.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02982CC3.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\03037E4A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\03B07576.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\043B5FF0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\04F15C5D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\055E15AD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\06784A9A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\069077C3.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\06DF5296.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\06F66DCB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\08A01A1C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\093419F0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\095B31F8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\09C819C4.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0A271E07.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0A282871.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0B052CAF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0CEF4CF1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0CF94619.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0E255D2F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0ED226E1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0F133CCE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0F1630A9.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0F583F46.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\10C22EE7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\10EE51AB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1181486A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1214483E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\122133C2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\122249C6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\134E3FFD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\140F1EED.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\14191A23.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\142024C4.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\14EA283E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\154D35B1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\164137C8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\16EB5EF9.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\17EF402A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\18814E82.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1883143B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\18AE1921.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1AE75868.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1BB97852.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1CEB2378.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1DB16FC1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1DEC112D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1EA00C23.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1EBB5C4B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1F9E59F5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\219C79E5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\21F7098F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\227D2BBF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\23356DAE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2413503A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\24C71F74.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2529553C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\257F53F0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\25A40C88.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\25F43F6E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\26781467.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\268E228B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\26DE0A6E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\27D32584.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\28F008AE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\29131809.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\29A65C0E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\29AB5D5E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2A0E17CE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2A0F3AAB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2AD66739.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2ADA03DE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2C0A05D6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2D126BC5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2E222A20.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2E4858D8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2EA311B5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2FDD3E6A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\316721BF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\31A74881.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\32085065.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\322E7D17.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\327C6787.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\32E73B05.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\33A64143.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\33C85165.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\34614BAC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\34C755A5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3536180D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\353A5C48.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\353C0C99.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\359E53CD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\359F76A9.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\360449D5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\36322EE0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\36FF5BCA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\371C3638.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\379D21F3.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\37B138D8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\37F67C8C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\381B2472.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\38690E02.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\38AF2446.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\38B670FF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\39357A11.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\393861F8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\397931AF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\39B640F7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3A0C3183.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3A4A1EB1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3AB510EF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3B315FA2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3C5A2E43.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3C64297A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3DD01EF5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3E613F75.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3E8D52EA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3ECF6EEC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3F102F96.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\40650ACB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\40672F9E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\40F04A35.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\40F92878.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\40FB2F72.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\411974CF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\413F0940.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4164012A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\41816EE7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\418D2B18.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\421844C7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4244529F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4327505B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\43F94A01.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\445F4008.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\44C53610.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\44CD31CE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\45704459.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\458D61D9.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\45AC191B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\46606A9A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\46C11BA1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\47056BA2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\475F3A92.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\47A4600E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\485D7F30.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\48C3192B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\49906147.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\49A94075.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\49B52512.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\49B84F0F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\49BB790B.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\49C24D04.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4A1D649F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4A210E9C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4A210E9C.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4A243898.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4AB5477B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4B230380.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4B2459A4.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4B262D7C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4B2673AC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4B295778.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4B295778.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4B2C0175.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C1E246B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C1E246B.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C214E67.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C257864.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C5955C3.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C8663F8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C8A0DF4.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C9735E6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C9A5FE2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C9D09DF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C9D09DF.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4CA133DB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4CB27225.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4CBA2D0C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4D2664AE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DAA6378.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DB94EA6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DD74886.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DDA7282.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DDA7282.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DDD1C7F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DE1467B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DE47077.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DE47077.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4DF12DE1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4E253D9D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4E5846C5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EAE1B99.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EB24595.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EB24595.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EB56F91.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EB8198E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4ED831E2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F214A3F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F230FF8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F4F44EB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F761CBD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F7946BA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F7946BA.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F7C70B6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F9D1492.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FA03E8F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FA03E8F.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FA3688B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FBD386E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FC353D9.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FC40C67.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FC40C67.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FCA6060.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FEB043C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4FEE2E38.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5005541F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\505A17C2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\505D41BE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\506415B7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50673FB3.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50673FB3.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\506A69B0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\507467A5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50950B81.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50AF5B64.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50B20561.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50B62F5D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50B9595A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50B9595A.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50BF2D52.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50C3574F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50E72527.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50EA4F24.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50EA4F24.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50ED7920.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50F0231D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50F0231D.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50F44D19.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\50F5265F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\512300FA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\513B1804.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\51520EB1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\515638AD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\515962AA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\515962AA.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\516A3B05.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\51C05E52.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5220448F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\52612C58.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\52B87083.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\52CF5801.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\53CC549F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\53E062DA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\559F49BC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\56DC3C99.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\56DC3C99.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\56DF6695.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\56E21092.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\56EE210C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\57E911C1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\581F7935.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\58222332.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\58222332.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\58254D2E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\585B025E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\586F2826.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\58DB66B6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\58DB7633.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59071E36.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59071E36.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\590A4833.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\590D722F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59163EB0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\596C691A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59AA4150.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59D25809.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59E802C3.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5A790C6E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5AB2063E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5B0B07FE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5B0E31FB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5B0E31FB.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5B115BF7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5B1513B0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5B78397C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5BF0509A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5CB33CF8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5D1E1AEF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5D922F96.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5E492C82.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5E4B723A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5E8920E8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5F67458E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5FFB482E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\601D41F1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\60AF3667.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\60B05944.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\60CF4CC5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\61772194.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\61A26A76.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\62FD13BB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6312254B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63863391.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63A6251F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\644539CF.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\64465CAB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\644745D5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\644A6FD1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\644A6FD1.SCR (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\644E19CD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\64A43D9A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\65955DAB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\671B1A2A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6A3F0743.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6AB21579.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6B7948E9.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6C0D48BD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6C407266.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6C414965.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6CEB5252.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6DC870DC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6DF72871.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6F507AF8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6F6E3A0E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6FD675CE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6FD718AA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7010416F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\706409CB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\70EE1134.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\714E1369.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\71E2133D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\723266E2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\736F68FB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\757C5107.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\76704CF4.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\76B116DC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\780E6330.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\78463251.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\793658FB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7985275B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7A3528F3.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7BA37C16.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7DEA5912.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7DF64367.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7E5A5B72.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7E976209.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7EFD5810.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F1E430F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F383062.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F814C03.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7FB242E3.EXE (Renamed & Submitted)

IM-Worm.Win32.Bauka.b (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\12FE16CB.EXE (Renamed & Submitted)

IM-Worm.Win32.Bauka.c (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\178B23C8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\474B6C22.EXE (Renamed & Submitted)

IM-Worm.Win32.Bauka.f (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\220679AD (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7AB86A07 (Renamed & Submitted)

IM-Worm.Win32.Kelvir.cg (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0F0C166D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1D734094.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\239C77CC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2A0776BC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\30654DBB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\36BF7ABE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D264FB2.EXE (Renamed & Submitted)

IM-Worm.Win32.Prex.d (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\13327E33.EXE (Renamed & Submitted)

Tracking Cookie (spyware)

* System (Disinfected)

Trojan-Downloader.Win32.Adload.a (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\21362270.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\213A4C6C.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Agent.rv (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2B271170.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\533A00B9.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Dyfuca.dp (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\532030D5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5DB4700E.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Dyfuca.dt (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5355509C.DLL (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\746F7204.DLL (Renamed & Submitted)

Trojan-Downloader.Win32.Dyfuca.ei (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2147745E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4248096D.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Dyfuca.gen (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2147745E.DLL (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\53447EAE.DLL (Renamed & Submitted)

Trojan-Downloader.Win32.IstBar.gen (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\21444A61.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.IstBar.ij (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\70EF6F6F.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.IstBar.jm (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0810676C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\214D4857.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\534E7CA3.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.IstBar.jn (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\213D7668.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7C802B6D.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.IstBar.kg (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\533756BC.DLL (Renamed & Submitted)

Trojan-Downloader.Win32.PurityScan.au (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F594FFD.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.PurityScan.bt (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\15971FA9.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.PurityScan.cj (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B8B27CF.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.PurityScan.cl (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\62B23DF8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F562601.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.PurityScan.cq (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F5F23F6.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Small.cml (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\06793FCB.DLL (Renamed)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\38DC47F3.DLL (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\623F6DA5.DLL (Renamed)

Trojan-Downloader.Win32.Swizzor.g (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\708C0C54.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Wren.d (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F826F1D.EXE (Renamed & Submitted)

Trojan-Dropper.Win32.Small.abe (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B6A03F3.DLL (Renamed & Submitted)

Trojan-Dropper.Win32.Small.ff (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5BE20FC3.EXE (Renamed & Submitted)

Trojan.Win32.Agent.hn (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\54D04D8D.EXE (Renamed & Submitted)

Trojan.Win32.DesktopPuzzle (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\70903650.EXE (Renamed & Submitted)

Trojan.Win32.Dialer.ay (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6E4279F6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B8E51CB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B917BC8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B9525C4.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F5C79F9.EXE (Renamed & Submitted)

Trojan.Win32.Dialer.g (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\23EB01CC.EXE (Renamed & Submitted)

Trojan.Win32.Dialer.jr (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3675395A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D66397A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3DA70132.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\598C3727.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59995F19.EXE (Renamed & Submitted)

Trojan.Win32.Dialer.oy (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B9B79BD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B9E23B9.EXE (Renamed)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7BA24DB6.EXE (Renamed)

Trojan.Win32.Small.cy (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\534828AA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\534B52A7.EXE (Renamed & Submitted)

Trojan.Win32.StartPage.nk (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\117833D2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\214A1E5A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D696376.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D6D0D72.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D70376F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D73616B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D760B68.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D7A3564.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D7D5F61.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D80095D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D833359.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D875D56.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D8A0752.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D8D314F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D915B4B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D940547.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D972F44.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D9A5940.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3D9E033D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3DA45735.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\53447EAE.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5995351C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\633743D7.EXE (Renamed & Submitted)

Worm.Win32.VB.an (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1F0D4736.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 44471
* System: 6080
* Not scanned: 4

Actions:

* Disinfected: 1
* Renamed: 448
* Deleted: 0
* None: 0
* Submitted: 444

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINNT\SYSTEM32\CONFIG\DEFAULT
* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
* C:\DOCUMENTS AND SETTINGS\MOSCOW\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.PST

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-07-19
* F-Secure Libra: 2.4.1, 2006-07-12
* F-Secure Orion: 1.2.37, 2006-07-18
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Draco: 1.0.35, 0259-24-212
* F-Secure Pegasus: 1.19.0, 2006-06-05

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics


Volume in drive C has no label.
Volume Serial Number is F0CA-B217

Directory of C:\Documents and Settings\Moscow\Application Data

19/07/2006 08:59 PM <DIR> .
19/07/2006 08:59 PM <DIR> ..
16/01/2006 10:04 PM <DIR> .bittorrent
15/07/2006 11:12 PM 557,055 .iScrobbler
13/08/2003 11:40 PM <DIR> ACD Systems
09/07/2006 11:09 AM <DIR> Adobe
16/03/2006 08:20 AM <DIR> AdobeUM
03/08/2004 08:36 PM <DIR> Alien Skin
08/06/2005 06:25 PM <DIR> Apple Computer
19/06/2006 05:16 PM <DIR> ArcSoft
16/06/2006 11:59 PM <DIR> Azureus
24/03/2006 03:47 PM <DIR> a?sembly
24/03/2006 03:45 PM <DIR> A?pPatch
31/01/2004 05:37 PM 0 dm.ini
23/03/2006 03:55 PM <DIR> ExecutiveSoftware
19/01/2005 01:07 PM 57 fc_location.txt
24/03/2006 03:44 PM <DIR> F?nts
24/03/2006 03:46 PM <DIR> F?nts
11/08/2005 09:53 PM <DIR> Google
19/03/2004 09:23 PM <DIR> Help
27/01/2003 08:26 PM <DIR> IBM Sash
01/06/2005 02:32 PM <DIR> ICQLite
10/07/2002 09:22 PM <DIR> Identities
15/07/2006 11:12 PM 169 iScrobbler.ini
18/06/2005 01:35 PM <DIR> Lavasoft
31/01/2004 05:40 PM <DIR> Leadertech
09/04/2006 07:28 PM <DIR> Macromedia
12/03/2006 03:22 PM <DIR> Media Player Classic
22/10/2005 06:25 PM <DIR> Microsoft
10/07/2002 09:54 PM <DIR> Microsoft Web Folders
18/06/2005 10:26 PM <DIR> Mozilla
21/04/2003 04:54 PM <DIR> MSN6
21/11/2005 06:44 PM <DIR> My Games
24/03/2006 03:44 PM <DIR> M?crosoft
24/03/2006 03:49 PM <DIR> M?crosoft.NET
19/11/2004 09:57 PM <DIR> Raptisoft
22/07/2005 10:48 PM <DIR> Real
19/07/2006 11:56 PM <DIR> Skype
31/07/2004 07:11 PM <DIR> SmartDraw
30/06/2005 01:45 PM <DIR> Sony
22/09/2004 02:45 PM <DIR> Sun
30/07/2002 07:33 PM <DIR> Symantec
24/03/2006 03:47 PM <DIR> s?curity
24/03/2006 03:46 PM <DIR> S?mantec
24/03/2006 03:45 PM <DIR> s?mbols
24/03/2006 03:46 PM <DIR> s?stem
24/03/2006 03:46 PM <DIR> s?stem32
25/02/2005 07:33 PM <DIR> Talkback
25/07/2005 04:59 PM <DIR> Trend Micro
24/03/2006 03:46 PM <DIR> T?sks
17/07/2006 07:28 AM <DIR> uTorrent
24/03/2006 03:44 PM <DIR> W?nSxS
24/03/2006 03:47 PM <DIR> àdobe
24/03/2006 03:46 PM <DIR> àppPatch
24/03/2006 03:49 PM <DIR> à?pPatch
24/03/2006 03:45 PM <DIR> ?icrosoft
24/03/2006 03:45 PM <DIR> ?icrosoft.NET
24/03/2006 03:47 PM <DIR> ??crosoft
24/03/2006 03:44 PM <DIR> ??crosoft.NET
24/03/2006 03:44 PM <DIR> ?racle
24/03/2006 03:47 PM <DIR> çasks
24/03/2006 03:48 PM <DIR> ç?sks
24/03/2006 03:46 PM <DIR> ?ecurity
24/03/2006 03:45 PM <DIR> ?ymantec
24/03/2006 03:47 PM <DIR> ?ymbols
24/03/2006 03:44 PM <DIR> ?ystem
24/03/2006 03:44 PM <DIR> ?ystem32
24/03/2006 03:48 PM <DIR> ??curity
24/03/2006 03:48 PM <DIR> ??mantec
24/03/2006 03:49 PM <DIR> ??mbols
24/03/2006 03:44 PM <DIR> ??stem
24/03/2006 03:46 PM <DIR> ??stem32
24/03/2006 03:50 PM <DIR> ?dobe
24/03/2006 03:44 PM <DIR> ?ppPatch
24/03/2006 03:46 PM <DIR> ?ssembly
24/03/2006 03:50 PM <DIR> ??sembly
24/03/2006 03:46 PM <DIR> ??pPatch
24/03/2006 03:44 PM <DIR> ?icrosoft
24/03/2006 03:44 PM <DIR> ?icrosoft.NET
24/03/2006 03:54 PM <DIR> ??crosoft
24/03/2006 03:45 PM <DIR> ??crosoft.NET
24/03/2006 03:47 PM <DIR> ?racle
24/03/2006 03:49 PM <DIR> ?asks
24/03/2006 03:49 PM <DIR> ??sks
4 File(s) 557,281 bytes

Directory of C:\Documents and Settings\Moscow\Desktop



Logfile of HijackThis v1.99.1
Scan saved at 5:32:53 PM, on 20/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Starter.Exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\svchost.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.connect.com.au:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - (no file)
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\Yetisports\IEButtonYetiSportsEBayInterface.dll (file missing)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Gamgen\WINXP~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\System32\Starter.Exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thank you
Last edited by junaman; 07-20-2006 at 01:53 AM.
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-20-2006, 11:20 PM   #7 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Hi junaman,

There are some entries that are being persistant. Let's try another tactic.

Download ComboFix from one of the following links:
  1. http://download.bleepingcomputer.com/sUBs/combofix.exe
  2. http://www.techsupportforum.com/sectools/combofix.exe

Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-20-2006, 11:26 PM   #8 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


Thanks again
Here's the ComboFix log:

Start Time= Fri 21/07/2006 15:23:47.46
Running from: C:\Documents and Settings\Moscow\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-21 15:23 <DIR> C:\Documents and Settings\Moscow\Application Data\skype
2006-07-21 13:22 <DIR> C:\Program Files\mozilla firefox
2006-07-21 13:20 <DIR> C:\Program Files\common files
2006-07-21 09:03 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-20 17:39 169 C:\Documents and Settings\Moscow\Application Data\iscrobbler.ini
2006-07-17 22:01 <DIR> C:\Program Files\winzip
2006-07-17 22:01 <DIR> C:\Program Files\winrar
2006-07-17 22:01 <DIR> C:\Program Files\ultra tag editor
2006-07-17 22:01 <DIR> C:\Program Files\tagrename
2006-07-17 22:01 <DIR> C:\Program Files\norton antivirus
2006-07-17 22:01 <DIR> C:\Program Files\msn messenger
2006-07-17 22:01 <DIR> C:\Program Files\icq
2006-07-17 22:01 <DIR> C:\Program Files\foobar2000
2006-07-17 22:01 <DIR> C:\Program Files\easymp3
2006-07-17 22:01 <DIR> C:\Program Files\Common Files\system
2006-07-17 22:01 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-17 22:01 <DIR> C:\Program Files\azureus
2006-07-17 22:01 <DIR> C:\Program Files\aqua dock
2006-07-17 22:00 <DIR> C:\Program Files\messenger
2006-07-17 22:00 <DIR> C:\Program Files\internet explorer
2006-07-17 22:00 <DIR> C:\Program Files\clicktoconvert
2006-07-17 21:55 1,236 C:\WINNT\win.ini
2006-07-17 17:55 <DIR> C:\Program Files\cleanup!
2006-07-17 17:47 888,832 C:\WINNT\system32\nvmobls.dll
2006-07-17 17:47 5,664,768 C:\WINNT\system32\nvdisps.dll
2006-07-17 17:47 3,039,232 C:\WINNT\system32\nvgames.dll
2006-07-17 17:47 229,376 C:\WINNT\system32\nvmccs.dll
2006-07-17 17:47 2,928,640 C:\WINNT\system32\nvvitvs.dll
2006-07-17 17:47 196,608 C:\WINNT\system32\nvapi.dll
2006-07-17 17:47 188,416 C:\WINNT\system32\nvmccss.dll
2006-07-17 17:47 1,261,568 C:\WINNT\system32\nvwss.dll
2006-07-17 07:28 <DIR> C:\Documents and Settings\Moscow\Application Data\utorrent
2006-07-16 20:06 352 C:\WINNT\system.ini
2006-07-16 13:51 <DIR> C:\Program Files\liveupdate
2006-07-16 00:03 <DIR> C:\Program Files\zoom player
2006-07-15 20:10 <DIR> C:\Program Files\xvid
2006-07-14 13:16 447,192 C:\WINNT\system32\perfstringbackup.ini
2006-07-09 11:09 <DIR> C:\Documents and Settings\Moscow\Application Data\adobe
2006-07-02 18:15 <DIR> C:\Program Files\picasa2
2006-06-19 17:16 <DIR> C:\Documents and Settings\Moscow\Application Data\arcsoft
2006-06-19 16:20 702,768 C:\WINNT\system32\wgalogon.dll
2006-06-18 15:45 <DIR> C:\Program Files\installshield installation information
2006-06-18 15:45 <DIR> C:\Program Files\arcsoft
2006-06-18 15:35 <DIR> C:\Program Files\canon
2006-06-18 15:32 <DIR> C:\Program Files\Common Files\canon
2006-06-16 23:59 <DIR> C:\Documents and Settings\Moscow\Application Data\azureus
2006-06-16 16:33 358 C:\tmp.ini
2006-06-16 14:34 48,936 C:\WINNT\system32\sirenacm.dll
2006-06-15 23:01 <DIR> C:\Program Files\Common Files\commodio
2006-06-01 22:51 <DIR> C:\Program Files\microsoft
2006-05-19 22:59 94,720 C:\WINNT\system32\iphlpapi.dll
2006-05-19 22:59 148,480 C:\WINNT\system32\dnsapi.dll
2006-05-19 22:59 111,616 C:\WINNT\system32\dhcpcsvc.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-20 22:19 888,832 C:\WINNT\system32\nvmobls.dll
2006-07-20 22:19 5,664,768 C:\WINNT\system32\nvdisps.dll
2006-07-20 22:19 3,039,232 C:\WINNT\system32\nvgames.dll
2006-07-20 22:19 229,376 C:\WINNT\system32\nvmccs.dll
2006-07-20 22:19 2,928,640 C:\WINNT\system32\nvvitvs.dll
2006-07-20 22:19 196,608 C:\WINNT\system32\nvapi.dll
2006-07-20 22:19 188,416 C:\WINNT\system32\nvmccss.dll
2006-07-20 22:19 1,261,568 C:\WINNT\system32\nvwss.dll
2006-07-17 21:52 73,728 C:\WINNT\system32\asuninst.exe
2006-07-17 17:59 106 C:\delete.bat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EnsoniqMixer"="C:\\WINNT\\System32\\Starter.Exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\G001-1.0.25.0\\gnotify.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SymNetDrv\\SNDMon.exe /Consumer"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Openwares LiveUpdate"="C:\\Program Files\\LiveUpdate\\LiveUpdate.exe"
"Aqua Dock"="C:\\Program Files\\Aqua Dock\\Aqua Dock.exe"
"Synchronization Manager"="mobsync.exe /logon"
"NPS Event Checker"="C:\\PROGRA~1\\Navnt\\npscheck.exe"
"Norton eMail Protect"="C:\\Program Files\\Navnt\\POProxy.exe"
"NeroCheck"="C:\\WINNT\\System32\\NeroCheck.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\not active]
"siseod2g"="C:\\WINNT\\system32\\siseod2g.exe"
"salm"="c:\\temp\\salm.exe"
"farmmext"="C:\\WINNT\\farmmext.exe"
"qquble"="c:\\winnt\\system32\\qquble.exe"
"Media Access"="C:\\Program Files\\Media Access\\MediaAccK.exe"
"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"
"Power Scan"="C:\\Program Files\\Power Scan\\powerscan.exe"
"sais"="c:\\program files\\180searchassistant\\sais.exe"
"msxct"="msxct.exe"
"dencnef"="C:\\WINNT\\dencnef.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,d0,01,00,00,00,00,00,00,30,03,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://www.ultimatecarpage.com/forum"
"SubscribedURL"="http://www.ultimatecarpage.com/forum"
"FriendlyName"=""
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a4,01,00,00,27,00,00,00,a0,00,00,00,94,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,d4,03,00,00,27,00,00,00,18,01,00,00,23,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:01,00,00,00,00,00,00,00,00,00,00,00,10,00,00,00,00,00,\
00,00,00,e3,07,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="http://www.slimezone.com/show.php?id=44"
"SubscribedURL"="http://www.slimezone.com/show.php?id=44"
"FriendlyName"="Bowling Slime - SlimeZone"
"Flags"=dword:00001002
"Position"=hex:2c,00,00,00,a4,01,00,00,e3,00,00,00,a0,00,00,00,94,00,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,60,02,00,00,3d,01,00,00,9f,02,00,00,76,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:cc,d1,07,00,3c,d2,07,00,08,d3,07,00,00,00,00,00,18,00,\
00,00,03,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EB9BDABE-1BD2-445B-9A13-BA9C7D2E3CA9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINNT\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="C:\\WINNT\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Moscow^Start Menu^Programs^Startup^Aqua Dock.lnk]
"path"="C:\\Documents and Settings\\Moscow\\Start Menu\\Programs\\Startup\\Aqua Dock.lnk"
"backup"="C:\\WINNT\\pss\\Aqua Dock.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Aqua Dock\\Aqua Dock.exe "
"item"="Aqua Dock"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Moscow^Start Menu^Programs^Startup^MSNP13 Downgrader.lnk]
"path"="C:\\Documents and Settings\\Moscow\\Start Menu\\Programs\\Startup\\MSNP13 Downgrader.lnk"
"backup"="C:\\WINNT\\pss\\MSNP13 Downgrader.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\MSN Messenger\\MSNP13Downgrader.exe "
"item"="MSNP13 Downgrader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Moscow^Start Menu^Programs^Startup^Undelete 4 Professional Edition Registration.lnk]
"path"="C:\\Documents and Settings\\Moscow\\Start Menu\\Programs\\Startup\\Undelete 4 Professional Edition Registration.lnk"
"backup"="C:\\WINNT\\pss\\Undelete 4 Professional Edition Registration.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\Executive Software\\Undelete\\ESIRegister.exe /remind /language=ENA /PRNM=\"Undelete 4 Professional Edition\""
"item"="Undelete 4 Professional Edition Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ashampoo PopUpBlocker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PopUpKiller"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Gamgen\\WINXP~1\\ASHAMP~1\\PopUpKiller.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cahc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="erha"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\rtel\\erha.exe\" -vt yazr"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 -lock"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyMP3 Track Rename]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EasyRen"
"hkey"="HKLM"
"command"="EasyRen.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firefly]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Firefly"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Firefly\\Firefly.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Plus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vplus"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\li-speed00147]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="li-speed00147"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LINUX32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LINUX32"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSNAgentCQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AgentCQ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSQueueSystem]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeoCheat Suite 0[1]"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orgasm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Orgasm"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealJukeboxSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tsystray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Real\\RealJukebox\\tsystray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RoboTaskBarIcon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SETTINGSROAD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Cast fast"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SexCams_au]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SexCams_au"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Gamgen\\WIN XP\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSWPlauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="comet"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Res"
"hkey"="HKLM"
"command"="C:\\Program Files\\USBToolbox\\Res.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vsn"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarezP2PClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Warez"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GameChannel"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Gamgen\\WIN XP\\ZoneAlarm\\zlclient.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PMJ151LA"=dword:00000002
"nvsvc"=dword:00000003
"Norton Program Scheduler"=dword:00000002
"NAV Auto-Protect"=dword:00000002
"NAV Alert"=dword:00000003
"Macromedia Licensing Service"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe SYSTEMBOOTHIDEPLAYER"
"SETTINGSROAD"=""
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NvMcTray.dll,NvTaskbarInit"



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Norton AntiVirus - Scan my computer - Moscow.job

Completion time: Fri 21/07/2006 15:24:23.39
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-21-2006, 12:57 AM   #9 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Please do these:

Follow Symantec's guide to clean out your Norton quarantine directory.

Delete this file: C:\tmp.ini

Locate this file: C:\Delete.bat. Right click it and select Edit. Copy and paste that text here with your next reply.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\not active]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cahc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SETTINGSROAD]
Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


Now, copy everything inside the quote box below (starting with dir) and paste it into Notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as listdir.bat on your Desktop.

Code:
dir "C:\Documents and Settings\Moscow\Application Data" /a /x > listdir.txt
notepad listdir.txt
Locate listdir.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents with your next reply.


Please generate an uninstall list:
  • Open HijackThis.
  • Click on the "Configure" button on the bottom right.
  • Click on the tab "Misc Tools".
  • Click on the Box that says "Open Uninstall Manager".
  • Click on the button "Save list"
Please save a copy and paste the contents with your next reply.

With your next reply...
Please post the contents of C:\delete.bat, listdir.txt and the uninstall list from HijackThis.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-21-2006, 01:16 AM   #10 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


C:\Delete.bat

@ECHO OFF
del "%programfiles%\Adverts\uninst.exe" /Q > NUL 2> NUL
rmdir "%programfiles%\Adverts" > NUL

listdir.txt

Volume in drive C has no label.
Volume Serial Number is F0CA-B217

Directory of C:\Documents and Settings\Moscow\Application Data

21/07/2006 11:36 AM <DIR> .
21/07/2006 11:36 AM <DIR> ..
16/01/2006 10:04 PM <DIR> .bittorrent
20/07/2006 05:39 PM 557,055 .iScrobbler
13/08/2003 11:40 PM <DIR> ACDSYS~1 ACD Systems
09/07/2006 11:09 AM <DIR> Adobe
16/03/2006 08:20 AM <DIR> AdobeUM
03/08/2004 08:36 PM <DIR> Alien Skin
08/06/2005 06:25 PM <DIR> Apple Computer
19/06/2006 05:16 PM <DIR> ArcSoft
16/06/2006 11:59 PM <DIR> Azureus
24/03/2006 03:47 PM <DIR> a?sembly
24/03/2006 03:45 PM <DIR> A?pPatch
31/01/2004 05:37 PM 0 dm.ini
23/03/2006 03:55 PM <DIR> ExecutiveSoftware
19/01/2005 01:07 PM 57 fc_location.txt
24/03/2006 03:44 PM <DIR> F?nts
24/03/2006 03:46 PM <DIR> F?nts
11/08/2005 09:53 PM <DIR> Google
19/03/2004 09:23 PM <DIR> Help
27/01/2003 08:26 PM <DIR> IBMSAS~1 IBM Sash
01/06/2005 02:32 PM <DIR> ICQLite
10/07/2002 09:22 PM <DIR> IDENTI~1 Identities
20/07/2006 05:39 PM 169 iScrobbler.ini
18/06/2005 01:35 PM <DIR> Lavasoft
31/01/2004 05:40 PM <DIR> LEADER~1 Leadertech
09/04/2006 07:28 PM <DIR> MACROM~1 Macromedia
12/03/2006 03:22 PM <DIR> Media Player Classic
22/10/2005 06:25 PM <DIR> MICROS~1 Microsoft
10/07/2002 09:54 PM <DIR> MICROS~2 Microsoft Web Folders
18/06/2005 10:26 PM <DIR> Mozilla
21/04/2003 04:54 PM <DIR> MSN6
21/11/2005 06:44 PM <DIR> My Games
24/03/2006 03:44 PM <DIR> M?crosoft
24/03/2006 03:49 PM <DIR> M?crosoft.NET
19/11/2004 09:57 PM <DIR> Raptisoft
22/07/2005 10:48 PM <DIR> Real
21/07/2006 04:57 PM <DIR> Skype
31/07/2004 07:11 PM <DIR> SmartDraw
30/06/2005 01:45 PM <DIR> Sony
22/09/2004 02:45 PM <DIR> Sun
30/07/2002 07:33 PM <DIR> Symantec
24/03/2006 03:47 PM <DIR> s?curity
24/03/2006 03:46 PM <DIR> S?mantec
24/03/2006 03:45 PM <DIR> s?mbols
24/03/2006 03:46 PM <DIR> s?stem
24/03/2006 03:46 PM <DIR> s?stem32
25/02/2005 07:33 PM <DIR> Talkback
25/07/2005 04:59 PM <DIR> Trend Micro
24/03/2006 03:46 PM <DIR> T?sks
17/07/2006 07:28 AM <DIR> uTorrent
24/03/2006 03:44 PM <DIR> W?nSxS
24/03/2006 03:47 PM <DIR> àdobe
24/03/2006 03:46 PM <DIR> àppPatch
24/03/2006 03:49 PM <DIR> à?pPatch
24/03/2006 03:45 PM <DIR> ?icrosoft
24/03/2006 03:45 PM <DIR> ?icrosoft.NET
24/03/2006 03:47 PM <DIR> ??crosoft
24/03/2006 03:44 PM <DIR> ??crosoft.NET
24/03/2006 03:44 PM <DIR> ?racle
24/03/2006 03:47 PM <DIR> çasks
24/03/2006 03:48 PM <DIR> ç?sks
24/03/2006 03:46 PM <DIR> ?ecurity
24/03/2006 03:45 PM <DIR> ?ymantec
24/03/2006 03:47 PM <DIR> ?ymbols
24/03/2006 03:44 PM <DIR> ?ystem
24/03/2006 03:44 PM <DIR> ?ystem32
24/03/2006 03:48 PM <DIR> ??curity
24/03/2006 03:48 PM <DIR> ??mantec
24/03/2006 03:49 PM <DIR> ??mbols
24/03/2006 03:44 PM <DIR> ??stem
24/03/2006 03:46 PM <DIR> ??stem32
24/03/2006 03:50 PM <DIR> ?dobe
24/03/2006 03:44 PM <DIR> ?ppPatch
24/03/2006 03:46 PM <DIR> ?ssembly
24/03/2006 03:50 PM <DIR> ??sembly
24/03/2006 03:46 PM <DIR> ??pPatch
24/03/2006 03:44 PM <DIR> ?icrosoft
24/03/2006 03:44 PM <DIR> ?icrosoft.NET
24/03/2006 03:54 PM <DIR> ??crosoft
24/03/2006 03:45 PM <DIR> ??crosoft.NET
24/03/2006 03:47 PM <DIR> ?racle
24/03/2006 03:49 PM <DIR> ?asks
24/03/2006 03:49 PM <DIR> ??sks
4 File(s) 557,281 bytes
80 Dir(s) 10,181,591,040 bytes free


Uninstall List

Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop CS
Adobe Reader 7.0.7
AI RoboForm Adapter for Firefox/Mozilla/Netscape
Aluria LiteScanner
Aqua Dock
ArcSoft PhotoStudio 5.5
ArcSoft Software Suite
Avi Previewer 2.11 DEMO
AviSynth 2.5
Azureus
Batch Image Resizer 2.06
BitTorrent 4.2.2
Cacheman 5.50
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Cartman's Authoritah 1.3
ccCommon
CDCheck
Chaos Pack 1.00 for Pocket Tanks Deluxe
CleanUp!
Click to Convert 5.3
Convert DOC to PDF For Word 2.00
Cowabanga by OIN
Crazy Tetris v.2.15
Creative PCI Audio Drivers
Cyberworld Msn tool v1.0
DAEMON Tools
DietPower
DV Studio3
DVD Decrypter (Remove Only)
DynaWares' Dictation
Ease Audio Converter 2.20
EasyMP3 Encoder
e-tax 2004
e-tax 2005
ewido anti-spyware 4.0
File Recover 6.0
Firefly Soft Phone
Flamethrower Pack 1.00a for Pocket Tanks Deluxe
foobar2000
Free PS Convert driver
Game Maker 6.1
Garmin WebUpdater
Geowebtech, Inc. adoc2pdf
GoldWave v5.13
Google Gmail Notifier
Google Toolbar for Internet Explorer
Graphmatica
Halo Zero 1.8.5
Heavy Weapon Deluxe(TM)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HyperLoad - 4x4
ICQ 5
Icy Tower v1.3.1
Internet Worm Protection
Îòðÿä Îìåãà
iPod for Windows 2005-02-07
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
IrfanView (remove only)
iScrobbler
iTunes
iTunes Art Importer
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
K-Lite Mega Codec Pack 1.18
Lame ACM MP3 Codec
Lavasoft VX2 Cleaner
Lemonade Tycoon Deluxe
LimeWire
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia FreeHand MXa
Macromedia Shockwave Player
Mathcad 7 Explorer
Maths Quest CD-ROM
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Bootvis
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Premium
Microsoft Office PowerPoint Viewer 2003
Microsoft Speech Recognition Engine 4.0 (English)
Microsoft Speech SDK 4.0
Microsoft Speech SDK 4.0 ActiveX Components
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Microsoft Windows Journal Viewer
Microsoft Windows Vista Upgrade Advisor
Microsoft XML Parser and SDK
mkw Audio Compression Toolkit
MSDN Library - January 2001
MSXML 4.0 SP2 Parser and SDK
Natural Color
NEC PC Control Utility 1.0
Nero - Burning Rom
Newman Haas
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Nuke Pack 1.00 for Pocket Tanks Deluxe
OfficeCapture
OptusNet Cable Components
Panda ActiveScan
PartyPoker
PDF-XChange 2.5 Driver Install
Picasa 2
Political Tycoon
Power Defrag 3.01
QuickTime
RealJukebox
Recover My Files
RichFX Player
Rogue's Quest 1.0m
SD Viewer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shockwave
Sibelius Scorch
Sid Meier's Civilization 4
SiSoftware Sandra Standard 2004 (Tweak Town Edition)
Skype 1.4
Snooker147 & Poolster (Shareware Demo) 1.3
SoftSound Shorten for Windows 2.3b
Sound Blaster AudioPCI Drivers Online Help
SPBBC
Spinner Plus
Spybot - Search & Destroy 1.4
Stellar Phoenix (FAT & NTFS) 2.1
SurCode CD Pro DTS
Symantec
Symantec Script Blocking Installer
SymNet
Tag&Rename 3.1.7
The Game Of Life
The Neverhood
Theme Hospital
TI Connect 1.5
TI-GRAPH LINK 83
TI-GRAPH LINK 89
Tower Blaster
TransMac version 7.3
Trivia Master
Ultimate Paint 2.86
Undisker
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
USB Driver for Panasonic DVC (with Web Camera)
USB Mass Storage Toolbox
Videora iPod Converter 0.91
Vidmex 1.3
Viper 1.14
vob2audio 0.1.0
VoiceExplorer2004®
WA Update v3.50 beta2
WinAce Archiver 2.0
Winamp (remove only)
Windows 2000 Service Pack 2 (1033)
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinFast(R) Display Driver
WinPatrol
WinRAR archiver
WinUndelete
WinZip
WinZip Self-Extractor
X2CD (remove only)
XviD 1.1 final uninstall
YETISPORTS Pingu Throw D.C.
Zoom Player (remove only)
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-21-2006, 08:48 PM   #11 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Click Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Cowabanga by OIN
Îòðÿä Îìåãà
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Delete this file: C:\Delete.bat. This is a leftover from your Messenger Plus! 3 installation.

If C:\Program Files\Adverts exists, you can safely delete that directory as well.

Browse to C:\Documents and Settings\Moscow\Application Data. In the View menu, select Details. Sort by Date Modified by clicking on that text. Delete all the directories with the date of 24/03/2006, which should now be grouped together.

Locate listdir.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents with your next reply along with one more HijackThis log.

Is your computer still behaving okay? The 3D issue may be related to your graphics drivers -- did you upgrade them recently? Some of the above logs indicate you might have. If you are still having issues with that, you may want to ask the folks in the Video Cards forum for help after we declare you clean.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2006, 01:02 AM   #12 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


Comp seems to be a bit faster, however while browsing with firefox, which is my preferred browser, I got some popups, which I wasn't getting before.

Also i could not remove Îòðÿä Îìåãà from the Add/Remove list, it said that components were missing.

Here is listdir.txt:

Volume in drive C has no label.
Volume Serial Number is F0CA-B217

Directory of C:\Documents and Settings\Moscow\Application Data

22/07/2006 04:57 PM <DIR> .
22/07/2006 04:57 PM <DIR> ..
16/01/2006 10:04 PM <DIR> .bittorrent
20/07/2006 05:39 PM 557,055 .iScrobbler
13/08/2003 11:40 PM <DIR> ACDSYS~1 ACD Systems
21/07/2006 08:42 PM <DIR> Adobe
16/03/2006 08:20 AM <DIR> AdobeUM
03/08/2004 08:36 PM <DIR> Alien Skin
08/06/2005 06:25 PM <DIR> Apple Computer
19/06/2006 05:16 PM <DIR> ArcSoft
16/06/2006 11:59 PM <DIR> Azureus
31/01/2004 05:37 PM 0 dm.ini
23/03/2006 03:55 PM <DIR> ExecutiveSoftware
19/01/2005 01:07 PM 57 fc_location.txt
11/08/2005 09:53 PM <DIR> Google
19/03/2004 09:23 PM <DIR> Help
27/01/2003 08:26 PM <DIR> IBMSAS~1 IBM Sash
01/06/2005 02:32 PM <DIR> ICQLite
10/07/2002 09:22 PM <DIR> IDENTI~1 Identities
20/07/2006 05:39 PM 169 iScrobbler.ini
18/06/2005 01:35 PM <DIR> Lavasoft
31/01/2004 05:40 PM <DIR> LEADER~1 Leadertech
09/04/2006 07:28 PM <DIR> MACROM~1 Macromedia
12/03/2006 03:22 PM <DIR> Media Player Classic
22/10/2005 06:25 PM <DIR> MICROS~1 Microsoft
10/07/2002 09:54 PM <DIR> MICROS~2 Microsoft Web Folders
18/06/2005 10:26 PM <DIR> Mozilla
21/04/2003 04:54 PM <DIR> MSN6
21/11/2005 06:44 PM <DIR> My Games
19/11/2004 09:57 PM <DIR> Raptisoft
22/07/2005 10:48 PM <DIR> Real
22/07/2006 04:49 PM <DIR> Skype
31/07/2004 07:11 PM <DIR> SmartDraw
30/06/2005 01:45 PM <DIR> Sony
22/09/2004 02:45 PM <DIR> Sun
30/07/2002 07:33 PM <DIR> Symantec
25/02/2005 07:33 PM <DIR> Talkback
25/07/2005 04:59 PM <DIR> Trend Micro
17/07/2006 07:28 AM <DIR> uTorrent
4 File(s) 557,281 bytes
35 Dir(s) 9,936,674,816 bytes free

HJT! Log

Logfile of HijackThis v1.99.1
Scan saved at 5:01:05 PM, on 22/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Starter.Exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.connect.com.au:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - (no file)
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\Yetisports\IEButtonYetiSportsEBayInterface.dll (file missing)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Gamgen\WINXP~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\System32\Starter.Exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

The 3d problem occurred with the game when i first played it, and updating drivers has not helped. I'll check out the Video Card forums.
Thank you very much for your help.
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2006, 09:06 PM   #13 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Did the Firefox popups happen while you were surfing? If so, that may be normal. Firefox has a built-in popup blocker which may be disabled. Make sure you have the latest version of Firefox, which is 1.5.0.4. Open Firefox, and select Options under the Tools menu. When the Options dialog pops up, click Content. Make sure Block Popup Windows is checked and click OK. This will block most popup windows. There are still ways to get around it, but they are not very common.

You could also add a Firefox extension like Adblock. Additionally, using the MVPS Hosts File may help by blocking well-known ad sites and other malicious Internet sites. Just download the archive, extract it to your desktop, and double-click the mvps.bat file to install.

Let's dig a little deeper. But first, let me help you get rid of that pesky installed item.
  • Run HijackThis.
  • Go to Config || Misc Tools
  • Click the button labelled "Open Uninstall Manager".
  • Find and select the following and click "Delete This Entry":
    Îòðÿä Îìåãà
  • Close HijackThis.
Now download and run Blacklight. Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.

When it finishes, click Next, and then click on Close.

BlackLight beta should create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2006, 11:52 PM   #14 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


Thanks for the popup help.
Got rid of that item, but Blacklight found nothing...

07/23/06 15:39:11 [Info]: BlackLight Engine 1.0.42 initialized
07/23/06 15:39:11 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/23/06 15:39:12 [Note]: 7019 4
07/23/06 15:39:12 [Note]: 7005 0
07/23/06 15:39:37 [Note]: 7006 0
07/23/06 15:39:37 [Note]: 7011 1424
07/23/06 15:39:37 [Note]: 7026 0
07/23/06 15:39:37 [Note]: 7026 0
07/23/06 15:39:52 [Note]: FSRAW library version 1.7.1019
07/23/06 15:51:30 [Note]: 7007 0
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2006, 12:10 PM   #15 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Have the popups gone away?

One more tool, and then we'll wrap up if it shows nothing. I just want to make sure nothing is hiding, as there are some rootkits out there that can hide from Blacklight.

Download GMER and extract it to your desktop.

Double-click gmer.exe to run it and select the rootkit tab. Press scan. When it has finished, press copy and paste the log back here.

Give me one last HijackThis log, too.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2006, 08:57 PM   #16 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


Tried running the rootkit scan in gmer and twice got a BSOD saying
MULTIPLE_IRP_COMPLETE_REQUESTS
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2006, 10:08 PM   #17 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Run GMER again. Select the rootkit tab and uncheck Devices and Registry on the right hand side. Press scan. It should work now.

Post that log and a new HijackThis log. And let me know if the popups are gone.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-24-2006, 12:10 AM   #18 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


The popups are gone!

Logs:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-24 15:45:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 82DDC4A0 ZwConnectPort
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT 82B16650 ZwOpenThread
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{77A4F1B8-1AF4-4D8F-868B-8CD80A3CAB58}
File S:\System Volume Information\MountPointManagerRemoteDatabase
File S:\System Volume Information\tracking.log
File S:\System Volume Information\_restore{77A4F1B8-1AF4-4D8F-868B-8CD80A3CAB58}

---- EOF - GMER 1.0.10 ----



Logfile of HijackThis v1.99.1
Scan saved at 4:09:50 PM, on 24/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\System32\Starter.Exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.connect.com.au:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - (no file)
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\Yetisports\IEButtonYetiSportsEBayInterface.dll (file missing)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Gamgen\WINXP~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\System32\Starter.Exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.0.0792.00.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-24-2006, 02:16 PM   #19 (permalink)
Mentor, Analyst - Security Team
 
Deckard's Avatar
 
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows


Awesome. Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address.

Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm and then click OK.

Reset System Restore
  • Go to Start>Run, type SYSDM.CPL and press Enter.
  • Select the System Restore tab.
  • Check "Turn off System Restore on all drives" and click Apply.
  • Now uncheck the same option and click OK.

Re-enable Protection
Turn back on any malware prevention tools we might have had you switch off (ie., Ewido's Shield).


Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Enable Windows Auto Update:
  • Go to Start>Run, type WUAUCPL.CPL and press Enter.
  • Make sure "Keep my computer up to date" is checked.
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Update Java
We need to update your Java as it is out of date. Older versions can be a security risk as malware writers have been known exploit the weaknesses the code.
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for all previous installed versions of Java (Java 2 Runtime Environment SE and/or J2SE Runtime Environment) and Uninstall/Remove them.
  • Download and install the newest version from Sun.
  • After the reboot, go back into the Control Panel and double-click the Java icon.
    Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL three checked:
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
    Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Antivirus
AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.Firewalls
A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.
  • SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
  • IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
  • MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
  • McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:
  • Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
  • Miranda-IM - another Instant Messenger client with multiple IM capabilities.
  • Desktop Weather - A taskbar weather program that is free and resource light.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
The chance to begin again in a golden land of opportunity and adventure.

Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.


UNITE/ASAP: Proud member since 2006
Deckard is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-25-2006, 02:08 AM   #20 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 39
OS: Windows XP Pro SP2


Everything seems fine now
Thank you very much for your help!
junaman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:20 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85