|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
09-21-2006, 07:15 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
Malware Galore
Hello, and thanks in advance for your help. I have a dell inspiron with Win XP
Home. I've been abducted by adware/malware. I've run spybot, adaware, and cwshredder, and I've gone through my ad/remove programs list, removed suspect programs, etc. I am still having problems. I'm enclosing my HijackThis log. Any help would be greatly appreciated. Thanks again! Best, Puraj Logfile of HijackThis v1.99.1 Scan saved at 6:14:25 PM, on 9/21/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\{DCAC8667-04AC-1033-0107-040920020001}\Update.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\SKS~1\chkdsk.exe C:\WINDOWS\SYSTEM32\?racle\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\unzipped\hijackthis[1]\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsg3E.dll O2 - BHO: (no name) - {9CFBE683-5F4E-08C1-6AEE-27800A3D0493} - C:\WINDOWS\System32\fvl.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinlpex.exe GEN001 O4 - HKLM\..\Run: [newname] C:\\nwnmff_16.exe O4 - HKLM\..\Run: [{C8-86-66-67-ZN}] c:\windows\system32\okdsregs.exe GEN001 O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\chkdsk.exe" -vt tzt O4 - HKCU\..\Run: [Lzuxfpzj] C:\WINDOWS\SYSTEM32\?racle\rundll32.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
09-21-2006, 08:18 PM
|
#2 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Hello wydrune, and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please be patient with me during this time. |
|
|
|
|
09-22-2006, 08:56 PM
|
#4 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. Absence of symptoms does not mean that everything is clear. So lets do this to the end! ---------------------------------------- DOWNLOADS CWSHREDDER If you still have CWS on your system, please run it again, otherwise Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. ComboFix 1. Download this file - You MUST save it to your desktop http://download.bleepingcomputer.com/sUBs/combofix.exe or http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable thesse Anti-Spyware programs as they may interefere with this fix. You may re-enable them after we clean your computer. Microsoft AntiSpyware
---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Begin2Search ---------------------------------------- Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist) (You must kill them one at a time) C:\Program Files\Common Files\{DCAC8667-04AC-1033-0107-040920020001}\Update.exe ---------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsg3E.dll O2 - BHO: (no name) - {9CFBE683-5F4E-08C1-6AEE-27800A3D0493} - C:\WINDOWS\System32\fvl.dll O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinlpex.exe GEN001 O4 - HKLM\..\Run: [newname] C:\\dfndrff_16.exe O4 - HKLM\..\Run: [{C8-86-66-67-ZN}] c:\windows\system32\okdsregs.exe GEN001 04 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\chkdsk.exe" -vt tzt O4 - HKCU\..\Run: [Lzuxfpzj] C:\WINDOWS\SYSTEM32\?racle\rundll32.exe Please remember to close all other windows, including browsers then click Fix checked. ---------------------------------------- UNHIDE HIDDEN FILES Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\nsg3E.dll C:\WINDOWS\System32\fvl.dll C:\WINDOWS\System32\qwinlpex.exe c:\windows\system32\okdsregs.exe C:\WINDOWS\thiselt.exe kybrdff_16.exe>>>>Find via Start>>Search dfndrff_16.exe>>>>Find via Start>>Search ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- ON-LINE SCANS Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner
Begin the scan by selecting My Computer
* Turn off the real time scanner of any existing antivirus program while performing the online scan ComboFix - 2nd Run 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------- FOLLOW-UP Please return and post these items: ComboFix - txt-1 Combofix - txt-2 Panda scan A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode |
|
|
|
|
09-25-2006, 11:07 PM
|
#5 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
Thanks for the quick help. Here are the logs, in order.
COMBOFIX - TXT-1 Puraj - 06-09-25 17:38:36.81 Service Pack 1 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 )))))))))))))))))))))))))))))))))) 2006-09-25 08:06 17,787 --a------ C:\WINDOWS\SYSTEM32\KBDons.dll 2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll 2006-09-06 00:08 928 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys 2006-09-06 00:07 420,000 -r-hs---- C:\WINDOWS\jivzheh.exe 2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll 2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll 2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll 2006-08-25 13:26 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll 2006-08-25 13:26 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll 2006-08-25 13:26 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-25 14:49 -------- d-------- C:\Program Files\Common Files 2006-09-25 07:35 -------- d-------- C:\Program Files\QuickTime 2006-09-25 07:35 -------- d-------- C:\Program Files\iTunes 2006-09-25 07:35 -------- d-------- C:\Program Files\Apoint 2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-12 15:19 -------- d-------- C:\Program Files\PokerStars 2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft 2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft 2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly 2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free 2006-09-06 00:11 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-09-06 00:06 -------- d-------- C:\Program Files\Windows NT 2006-09-06 00:06 -------- d-------- C:\Program Files\ComPlus Applications 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe 2006-08-14 10:10 -------- d-------- C:\Program Files\Google 2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM 2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aida"="\"C:\\WINDOWS\\SKS~1\\chkdsk.exe\" -vt tzt" "Lzuxfpzj"="C:\\WINDOWS\\SYSTEM32\\?racle\\rundll32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "TCASUTIEXE"="TCAUDIAG -off" "nwiz"="nwiz.exe /installquiet" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe" "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "{C8-86-66-67-ZN}"="c:\\windows\\system32\\okdsregs.exe GEN001" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="C:\\Program Files\\ComPlus Applications\\kyfefyv.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="C:\\Program Files\\Windows NT\\hocycosyp.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,ec,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000004 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP748] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "backup"="C:\\WINDOWS\\pss\\TFTP748Common Startup" "location"="Common Startup" "command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "item"="TFTP748" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="RAVMOND" "hkey"="HKCU" "command"="RAVMOND.exe" "inimapping"="1" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Mon 09/25/2006 17:39:40.52 ComboFix.txt ComboFix2.txt ComboFix3.txt COMBOFIX - TXT-2 Puraj - 06-09-25 21:41:03.92 Service Pack 1 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 )))))))))))))))))))))))))))))))))) 2006-09-25 08:06 17,787 --a------ C:\WINDOWS\SYSTEM32\KBDons.dll 2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll 2006-09-06 00:08 928 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys 2006-09-06 00:07 420,000 -r-hs---- C:\WINDOWS\jivzheh.exe 2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll 2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll 2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll 2006-08-25 13:26 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll 2006-08-25 13:26 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll 2006-08-25 13:26 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-25 17:48 -------- d-------- C:\Program Files\Dell 2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-25 14:49 -------- d-------- C:\Program Files\Common Files 2006-09-25 07:35 -------- d-------- C:\Program Files\QuickTime 2006-09-25 07:35 -------- d-------- C:\Program Files\iTunes 2006-09-25 07:35 -------- d-------- C:\Program Files\Apoint 2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-12 15:19 -------- d-------- C:\Program Files\PokerStars 2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft 2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft 2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly 2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free 2006-09-06 00:11 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-09-06 00:06 -------- d-------- C:\Program Files\Windows NT 2006-09-06 00:06 -------- d-------- C:\Program Files\ComPlus Applications 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe 2006-08-14 10:10 -------- d-------- C:\Program Files\Google 2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM 2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aida"="\"C:\\WINDOWS\\SKS~1\\chkdsk.exe\" -vt tzt" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "TCASUTIEXE"="TCAUDIAG -off" "nwiz"="nwiz.exe /installquiet" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe" "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="C:\\Program Files\\ComPlus Applications\\kyfefyv.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="C:\\Program Files\\Windows NT\\hocycosyp.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,ec,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000004 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP748] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "backup"="C:\\WINDOWS\\pss\\TFTP748Common Startup" "location"="Common Startup" "command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "item"="TFTP748" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="RAVMOND" "hkey"="HKCU" "command"="RAVMOND.exe" "inimapping"="1" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Mon 09/25/2006 21:42:05.24 ComboFix.txt ComboFix2.txt ComboFix3.txt PANDA SCAN Incident Status Location Virus:Trj/Lowzones.SV Disinfected Operating system HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 10:01:12 PM, on 9/25/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\wuauclt.exe C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\chkdsk.exe" -vt tzt O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe THANKS AGAIN! Last edited by wyrdrune; 09-25-2006 at 11:09 PM. Reason: forgot to say thanks |
|
|
|
|
09-26-2006, 06:39 PM
|
#8 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- Regarding ComboFix: You posted ComboFix2.txt and ComboFix3.txt. Please see if you can find Combofix.txt and post that ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Microsoft AntiSpyware
---------------------------------------- FIXES AND DELETIONS REMOVING PURITY SCAN
Download the attached wyr.zip file at the bottom of this post to your desktop. Double click on the zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry. ---------------------------------------- Go to Control Panel click Display>Desktop>Customize Desktop>Website Under the 'Web pages' box, delete everything present ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\SYSTEM32\KBDons.dll C:\WINDOWS\SYSTEM32\winpfg32.sys C:\WINDOWS\jivzheh.exe C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Program Files\Common Files\Yazzle1281OinAdmin.exe C:\Program Files\Windows NT\hocycosyp.html C:\Program Files\ComPlus Applications\kyfefyv.html RAVMOND.exe>>>Find via Start>>Search ---------------------------------------- ON-LINE SCANS Kaspersky - Extended Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
* Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- FOLLOW-UP Please return and post these items: Fresh comboFix log Kaspersky log A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode |
|
|
|
|
09-26-2006, 10:18 PM
|
#9 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
COMBOFIX LOG
Puraj - 06-09-26 21:12:46.58 Service Pack 1 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-08-26 to 2006-09-26 )))))))))))))))))))))))))))))))))) 2006-09-26 03:27 1,721 --a------ C:\system.exe 2006-09-26 01:35 9,216 --a------ C:\WINDOWS\SYSTEM32\dgflib.dll 2006-09-26 01:35 7,680 --a------ C:\WINDOWS\rundll.exe 2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll 2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll 2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll 2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-26 19:41 -------- d-------- C:\Program Files\Windows NT 2006-09-26 19:40 -------- d-------- C:\Program Files\ComPlus Applications 2006-09-26 19:40 -------- d-------- C:\Program Files\Common Files 2006-09-26 00:05 -------- d-------- C:\Program Files\PokerStars 2006-09-25 17:48 -------- d-------- C:\Program Files\Dell 2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-25 07:35 -------- d-------- C:\Program Files\QuickTime 2006-09-25 07:35 -------- d-------- C:\Program Files\iTunes 2006-09-25 07:35 -------- d-------- C:\Program Files\Apoint 2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft 2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft 2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly 2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free 2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe 2006-08-14 10:10 -------- d-------- C:\Program Files\Google 2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM 2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "TCASUTIEXE"="TCAUDIAG -off" "nwiz"="nwiz.exe /installquiet" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe" "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000004 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,ec,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:c0000004 "OriginalStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,\ 00,00,04,00,00,c0 "RestoredStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "System"="{45673737-D1D1-4ECA-8760-AD3EFE7B0541}" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Tue 09/26/2006 21:14:46.37 ComboFix.txt ComboFix2.txt ComboFix3.txt KASPERSKY LOG KASPERSKY ONLINE SCANNER REPORT Tuesday, September 26, 2006 9:11:22 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 27/09/2006 Kaspersky Anti-Virus database records: 226646 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ Scan Statistics Total number of scanned objects 66931 Number of viruses found 74 Number of infected objects 227 / 0 Number of suspicious objects 1 Duration of the scan process 01:15:32 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00BC0000.VBN Infected: Trojan-Downloader.Win32.Intexp.b skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00BC0001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00BC0002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00BC0003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00BC0005.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00BC0006.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00C80000.VBN Infected: Email-Worm.Win32.LovGate.f skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D00002.VBN Infected: Trojan-Downloader.Win32.Adload.fg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D40000.VBN Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D40001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D80000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0003.VBN Infected: Trojan-Downloader.Win32.Adload.fg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0004.VBN Infected: Trojan-Downloader.Win32.Adload.ff skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0005.VBN Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00E00000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00E00001.VBN Infected: Trojan-Downloader.Win32.Adload.ff skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00E40000.VBN Infected: Trojan-Downloader.Win32.Virtumonde.b skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00F80000.VBN Infected: Trojan-Spy.Win32.Agent.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01300000.VBN Infected: Backdoor.Win32.Rbot.azl skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01340000.VBN Infected: P2P-Worm.Win32.SpyBot.gw skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01980000.VBN Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\019C0000.VBN Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.f skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01E40000.VBN Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0000.VBN Infected: Exploit.HTML.Mht skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01F00000.VBN Infected: Backdoor.Win32.Agobot.gen skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01F00001.VBN Infected: Net-Worm.Win32.Sasser.a skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01F00002.VBN Infected: Backdoor.Win32.Agobot.tu skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01F40000.VBN Infected: Backdoor.Win32.Agobot.lq skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05180000.VBN Infected: Trojan-PSW.Win32.PdPinch.bs skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05380000.VBN Infected: Trojan-Downloader.Win32.VB.wz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0002.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0003.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0004.VBN/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0004.VBN/SystemDoctor2006FreeInstall.cab/USDR6_0001_D08M0404NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0004.VBN/SystemDoctor2006FreeInstall.cab Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0004.VBN CHM: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0004.VBN CryptZ: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0005.VBN Infected: Trojan-Downloader.Win32.VB.wz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0006.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0007.VBN Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480000.VBN Infected: Trojan-Clicker.Win32.VB.is skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480002.VBN Infected: Trojan-Downloader.Win32.VB.nw skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480004.VBN/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480004.VBN/SystemDoctor2006FreeInstall.cab/USDR6_0001_D08M0404NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480004.VBN/SystemDoctor2006FreeInstall.cab Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480004.VBN CHM: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480004.VBN CryptZ: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\055C0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05640000.VBN Infected: Trojan-PSW.Win32.Sinowal.k skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05700000.VBN Infected: Trojan-PSW.Win32.Sinowal.az skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05740000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05740001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05780000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800000.VBN/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800000.VBN/SystemDoctor2006FreeInstall.cab/USDR6_0001_D08M0404NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800000.VBN/SystemDoctor2006FreeInstall.cab Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800000.VBN CHM: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800000.VBN CryptZ: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800001.VBN Infected: Trojan-Downloader.Win32.VB.wz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05880000.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05880001.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05880002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05880003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05980000.VBN Infected: Trojan-PSW.Win32.PdPinch.bs skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN Infected: Backdoor.Win32.Agobot.gen skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06940000.VBN Infected: Trojan.Win32.KillFiles.fz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07080000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07080000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07080000.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07080000.VBN/Beyond.class Infected: Trojan.Java.Needy.a skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07080000.VBN ZIP: infected - 4 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07080000.VBN CryptZ: infected - 4 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07140000.VBN Infected: Trojan-Downloader.Win32.Intexp.b skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07140001.VBN Infected: Trojan-Downloader.Win32.Virtumonde.b skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07440000.VBN Infected: Trojan-Dropper.Win32.Mudrop.bq skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07440001.VBN/data0002 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07440001.VBN/data0005 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07440001.VBN/data0006 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07440001.VBN NSIS: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07440001.VBN CryptZ: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07440002.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07480000.VBN Infected: Trojan-Downloader.Win32.Dyfuca.fb skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\074C0001.VBN Infected: Trojan-Downloader.Win32.Dyfuca.fb skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07500000.VBN Infected: Trojan-Dropper.Win32.Mudrop.bq skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D00000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.f skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN Infected: Trojan.Win32.KillFiles.fz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0000.VBN Infected: Trojan.Win32.KillFiles.fz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0004.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00000.VBN Infected: Trojan-Spy.Win32.Agent.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40004.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E80000.VBN Infected: Trojan.Win32.KillFiles.fz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E80001.VBN Infected: Trojan-Spy.Win32.Agent.l skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08640000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08640001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08680000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08800000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08800001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08840000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80000.VBN/data0002 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80000.VBN/data0005 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80000.VBN/data0006 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80000.VBN NSIS: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80000.VBN CryptZ: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80001.VBN/data0002 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80001.VBN/data0005 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80001.VBN/data0006 Infected: Trojan.Win32.VB.tg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80001.VBN NSIS: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BE80001.VBN CryptZ: infected - 3 skipped C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\ar.jar-24cf9bc8-33edae6e.zip/B.class Infected: Trojan.Java.ClassLoader.Dummy.e skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\ar.jar-24cf9bc8-33edae6e.zip/V.class Infected: Trojan.Java.ClassLoader.a skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\ar.jar-24cf9bc8-33edae6e.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\ar.jar-24cf9bc8-33edae6e.zip/A.class Infected: Trojan-Dropper.Java.Xideo.e skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\ar.jar-24cf9bc8-33edae6e.zip ZIP: infected - 4 skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\archive.jar-6b861be4-3e7f1dab.zip/A.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\archive.jar-6b861be4-3e7f1dab.zip ZIP: infected - 1 skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\arr3.jar-53b20017-7e0db73a.zip/Counter.class Infected: Trojan.Java.ClassLoader.i skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\arr3.jar-53b20017-7e0db73a.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\arr3.jar-53b20017-7e0db73a.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\Puraj\.jpi_cache\jar\1.0\arr3.jar-53b20017-7e0db73a.zip ZIP: infected - 3 skipped C:\Documents and Settings\Puraj\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\Puraj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Puraj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Puraj\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Puraj\Local Settings\Temp\3fe7.$$$ Infected: Trojan-PSW.Win32.Sinowal.az skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\6J5IPZWG\popup[2].php Infected: Trojan-Clicker.HTML.Agent.a skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\GVP7YAZ1\gc2[1] Infected: Exploit.JS.ADODB.Stream.v skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\GVP7YAZ1\vw[1].dat Infected: Trojan-PSW.Win32.Sinowal.az skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\H4Y66UCR\popup[1].php Infected: Trojan-Clicker.HTML.Agent.a skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\T047H5ST\popup[2].php Infected: Trojan-Clicker.HTML.Agent.a skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\T047H5ST\popup[3].php Infected: Trojan-Clicker.HTML.Agent.a skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\T047H5ST\start[1].exe Infected: Trojan-Downloader.Win32.Small.dul skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\YPR8LSBI\popup[2].php Infected: Trojan-Clicker.HTML.Agent.a skipped C:\Documents and Settings\Puraj\Local Settings\Temporary Internet Files\Content.IE5\YPR8LSBI\sp352452548[1].php Suspicious: Trojan-Downloader.JS.gen skipped C:\Documents and Settings\Puraj\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Puraj\ntuser.dat.LOG Object is locked skipped C:\Program Files\Apoint\Apoint.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Infected: Trojan-PSW.Win32.Sinowal.ay skipped C:\Program Files\iTunes\iTunesHelper.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped C:\Program Files\QuickTime\qttask.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP636\A0353790.exe/stream Infected: Trojan-Downloader.Win32.IstBar.no skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP636\A0353790.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP636\A0353790.exe UPX: infected - 1 skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP645\A0356979.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP645\A0356980.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357021.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357022.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357024.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.u skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357113.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357113.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357113.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357113.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357113.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357113.exe CAB: infected - 5 skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357115.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357116.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357117.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357147.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357148.exe Infected: not-a-virus:AdWare.Win32.PurityScan.eu skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357171.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358171.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358172.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358197.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358197.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358197.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358202.exe Infected: Trojan-Downloader.Win32.VB.alg skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358204.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358216.exe Infected: Trojan-Downloader.Win32.Adload.fg skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358217.exe Infected: Trojan-Downloader.Win32.VB.amb skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358221.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358222.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358223.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358224.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358227.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP646\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP647\A0358247.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358283.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358293.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.y skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358293.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358293.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.q skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358293.exe NSIS: infected - 3 skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358294.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358295.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358301.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358321.exe Infected: not-a-virus:AdWare.Win32.Agent.ag skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358327.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358328.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358336.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358340.exe/msnmsgrs.exe Infected: Backdoor.Win32.Rbot.azl skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358340.exe/wuauclts.exe Infected: P2P-Worm.Win32.SpyBot.gw skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358340.exe CreateInstall: infected - 2 skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358401.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP649\A0358406.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP651\A0360424.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP651\A0360457.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP651\A0360458.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361482.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361618.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361622.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361623.exe Infected: Trojan-Downloader.Win32.PurityScan.cx skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361624.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361625.exe Infected: not-a-virus:AdWare.Win32.PurityScan.eu skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP655\A0361667.rbf Infected: Trojan-Downloader.Win32.Agent.awf skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP655\A0361750.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP656\A0361788.dll Infected: Packed.Win32.Klone.k skipped C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP656\change.log Object is locked skipped C:\system.exe Infected: Trojan-Downloader.Win32.Small.dul skipped C:\WINDOWS\bookmarks.exe Infected: Trojan.Win32.StartPage.hw skipped C:\WINDOWS\Debug\oakley.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\LastGood\amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped C:\WINDOWS\remtm3.exe Infected: not-a-virus:AdWare.Win32.BetterInternet skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 9:16:13 PM, on 9/26/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\explorer.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Puraj\IOGuyou.exe C:\WINDOWS\System32\notepad.exe C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O21 - SSODL: System - {45673737-D1D1-4ECA-8760-AD3EFE7B0541} - dgflib.dll (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe THANKS! |
|
|
|
|
09-27-2006, 03:58 PM
|
#10 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- Please submit the following file to Jotti File Scan C:\Documents and Settings\Puraj\IOGuyou.exe At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread. ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Microsoft AntiSpyware
---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O21 - SSODL: System - {45673737-D1D1-4ECA-8760-AD3EFE7B0541} - dgflib.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. ---------------------------------------- UNHIDE HIDDEN FILES Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\system.exe C:\WINDOWS\SYSTEM32\dgflib.dll C:\WINDOWS\rundll.exe C:\WINDOWS\bookmarks.exe C:\WINDOWS\remtm3.exe C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- Clear Temp Files and Cache Clean IE Cookies
Clean Temporary Files
CLEAR JAVA CACHE
CLEAR Norton Quarantine Please see Norton's Instructions to clear the Quarantined files. ---------------------------------------- ON-LINE SCANS Click here to use the F-Secure Online Scanner It's explained there with images how to allow the ActiveX to start the scan, so read that first.
---------------------------------------- FOLLOW-UP Please return and post these items: Jotti report F-Secure scan A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode |
|
|
|
|
09-27-2006, 10:28 PM
|
#11 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
JOTTI
Service load: 0% 100% File: IOGuyou.exe Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) MD5 9a8bb8301a125e8033284b9055f16059 Packers detected: UPX Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing F-SECURE SCAN Scanning Report Wednesday, September 27, 2006 17:42:54 - 21:24:15 Computer name: LAPPY Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ -------------------------------------------------------------------------------- Result: 27 malware found Adware.AdMedia (spyware) System Packed.Win32.Klone.k (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP656\A0361788.DLL Tracking Cookie (spyware) System (Disinfected) System System System Trojan-Downloader.Win32.Adload.fg (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358216.EXE (Renamed) Trojan-Downloader.Win32.Agent.agw (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358171.DLL (Renamed) Trojan-Downloader.Win32.Agent.awf (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP655\A0361750.EXE (Renamed & Submitted) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361624.EXE (Renamed) C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE (Renamed) C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE (Renamed) C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE (Renamed) C:\PROGRAM FILES\APOINT\APOINT.EXE (Renamed) Trojan-Downloader.Win32.Dyfuca.ey (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358221.EXE (Renamed) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358222.EXE (Renamed) Trojan-Downloader.Win32.PurityScan.cx (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP654\A0361623.EXE (Renamed & Submitted) Trojan-Downloader.Win32.Qoologic.at (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0357021.EXE (Renamed) Trojan-Downloader.Win32.Qoologic.c (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358172.EXE (Renamed) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358224.EXE (Renamed) Trojan-Downloader.Win32.Small.dul (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP656\A0361815.EXE (Renamed & Submitted) Trojan-Downloader.Win32.VB.alg (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358202.EXE (Renamed) Trojan-Downloader.Win32.VB.amb (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP646\A0358217.EXE (Renamed) Trojan-PSW.Win32.Sinowal.ay (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP656\A0361829.EXE (Renamed & Submitted) Trojan.Win32.StartPage.hw (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP656\A0361828.EXE (Renamed) W32/Istbar.AKU (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP636\A0353790.EXE W32/PDPinch.DP.dropper (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP656\A0361826.EXE -------------------------------------------------------------------------------- Statistics Scanned: Files: 29888 System: 4226 Not scanned: 4 Actions: Disinfected: 1 Renamed: 19 Deleted: 0 None: 7 Submitted: 4 Files not scanned: C:\HIBERFIL.SYS C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{A6FFEE71-78E0-4DD2-A0B6-E096C787D774}.BIN -------------------------------------------------------------------------------- Options Scanning engines: F-Secure AVP: 6.0.171, 2006-09-27 F-Secure Libra: 2.4.1, 2006-09-27 F-Secure Orion: 1.2.37, 2006-09-27 F-Secure Blacklight: 1.0.31, 0000-00-00 F-Secure Pegasus: 1.19.0, 2006-08-14 F-Secure Draco: 1.0.35, 0259-24-212 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX Use Advanced heuristics -------------------------------------------------------------------------------- Copyright © 1998-2006 Product support |Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability. HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 5:20:25 PM, on 9/27/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\SYSTEM32\NOTEPAD.EXE C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O21 - SSODL: System - {45673737-D1D1-4ECA-8760-AD3EFE7B0541} - dgflib.dll (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
|
|
|
09-27-2006, 11:40 PM
|
#12 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
DISABLE ANTI-SPYWARE APPLICATIONS
Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Microsoft AntiSpyware
---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS These entries are still present in your HJT log. Did you miss fixing them? Please try again. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O21 - SSODL: System - {45673737-D1D1-4ECA-8760-AD3EFE7B0541} - dgflib.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. ---------------------------------------- Do you recognize this file? C:\Documents and Settings\Puraj\IOGuyou.exe If not, please submit it to his web page for analysis: http://www.bleepingcomputer.com/subm....php?channel=4 Please put a link to your post in the message. ---------------------------------------- These exe files were infected and renamed. Therefore, the infection may still be present The files should be deleted & the programs may need reinstallation C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE (Renamed) C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE (Renamed) C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE (Renamed) C:\PROGRAM FILES\APOINT\APOINT.EXE (Renamed) ---------------------------------------- FOLLOW-UP Please return and post these items: A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode |
|
|
|
|
09-28-2006, 05:58 PM
|
#13 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
Logfile of HijackThis v1.99.1
Scan saved at 4:54:33 PM, on 9/28/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
|
|
|
09-28-2006, 06:39 PM
|
#14 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Did you submit this file: C:\Documents and Settings\Puraj\IOGuyou.exe
for examination. I see it's not in your log. Did you re-install the infected programs? Last edited by fredmh; 09-28-2006 at 06:41 PM. |
|
|
|
|
09-29-2006, 12:06 AM
|
#15 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
I actually deleted the file because I didn't recognize it before I was notified to submit it for scanning. My initial log was taken just before the fact. Sorry about that.
As for the other files, yes, I deleted and then reinstalled them. Thanks. |
|
|
|
|
09-29-2006, 01:00 PM
|
#16 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Your logs are clean. Please complete the next "Housekeeping " steps and read through the information which follows.
Windows XP - Reset Hidden Files
---------------------------------------- Clean-out and Reset System Restore This will clean out any junk or malicious files left behind in System Restore
This will create a new Restore Point. ---------------------------------------- RE-ENABLE ANTI-SPYWARE APPLICATIONS If you were instructed to dis-able Anti-spyware applications during this fix, you may re-enable them ---------------------------------------- Please read through the following information to help protect your computer in the future. KEEP YOUR OPERATING SYSTEM UPDATED Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch MICROSOFT UPDATES It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. ENABLE WINDOWS AUTO UPDATE Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". TOOLS TO HELP KEEP YOUR SYSTEM CLEAN Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
A tutorial for IE-SPYAD can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. MCAFEE SITE ADVISOR SITE ADVISOR is a free IE plug-in (also suport for Firefox browser) which is used in conjunction with the Google search engine. It advises which web sites are considered safe and which sites could pose a problem. It also shows what problems were encountered with each site, such as malicious downloads, spam, and related links. ANTI-VIRUS AND FIREWALL PROGRAMS ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are some very good free Antivirus products which are available: If you do not have a firewall, here are 4 free ones available for personal use: Understanding and Using Firewalls INFORMATIONAL READING In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
Please respond one more time and let me know you received this post so it can be marked resolved |
|
|
|
|
10-06-2006, 12:16 AM
|
#17 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
Thanks for all the help. Sorry for the late reply. I've been in the hospital with appendicitis. I got back home yesterday, checked out the computer (it hasn't been in use) and the popup situation remains.
I'm sure that I followed the instructions, but it seems as though the progress we made has regressed. COMBOFIX Puraj - 06-10-05 23:11:25.11 Service Pack 1 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\LocalService\Application Data\NetMon ((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 )))))))))))))))))))))))))))))))))) 2006-10-05 22:34 86,036 --a------ C:\WINDOWS\SYSTEM32\xmcniwbk.dll 2006-10-05 22:34 496,198 ---hs---- C:\WINDOWS\SYSTEM32\acdgh.bak1 2006-10-05 22:32 684,084 ---hs---- C:\WINDOWS\SYSTEM32\hgdca.dll 2006-10-05 22:28 36,608 --a------ C:\WINDOWS\nem220.dll 2006-10-05 22:28 126,976 --a------ C:\WINDOWS\SYSTEM32\dpz.dll 2006-10-05 22:27 40,973 ---hs---- C:\WINDOWS\SYSTEM32\awtqqrs.dll 2006-10-03 14:08 761,856 --a------ C:\WINDOWS\SYSTEM32\xvidcore.dll 2006-10-03 14:07 180,224 --a------ C:\WINDOWS\SYSTEM32\xvidvfw.dll 2006-09-28 06:24 75,264 --a------ C:\WINDOWS\SYSTEM32\nst63.dll 2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll 2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll 2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll 2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-05 22:35 -------- d-------- C:\Program Files\VSToolbar 2006-10-05 22:35 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SearchToolbarCorp 2006-10-05 22:33 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-10-05 22:33 -------- d-------- C:\Program Files\em 2006-10-05 22:27 -------- d-------- C:\Program Files\mm 2006-10-05 22:27 -------- d-------- C:\Program Files\Internet Optimizer 2006-10-05 22:27 -------- d-------- C:\Program Files\Common Files 2006-10-05 19:09 -------- d-------- C:\Program Files\Microsoft Works 2006-10-05 19:09 -------- d-------- C:\Program Files\Microsoft Picture It! 2002 2006-10-05 19:09 -------- d-------- C:\Program Files\Messenger 2006-10-05 19:09 -------- d-------- C:\Program Files\Apoint 2006-10-04 13:59 -------- d-------- C:\Program Files\PokerStars 2006-10-03 14:11 -------- d-------- C:\Program Files\WinRAR 2006-10-03 14:08 -------- d-------- C:\Program Files\XviD 2006-09-28 16:42 -------- d-------- C:\Program Files\QuickTime 2006-09-28 16:41 -------- d-------- C:\Program Files\iTunes 2006-09-27 11:31 -------- d-------- C:\Program Files\Servant Salamander 2.0 2006-09-26 19:41 -------- d-------- C:\Program Files\Windows NT 2006-09-26 19:40 -------- d-------- C:\Program Files\ComPlus Applications 2006-09-25 17:48 -------- d-------- C:\Program Files\Dell 2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft 2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft 2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly 2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe 2006-08-14 10:10 -------- d-------- C:\Program Files\Google 2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM 2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" "Aida"="\"C:\\WINDOWS\\System32\\ICROSO~1\\wuauboot.exe\" -vt yazb" "Ces"="C:\\Program Files\\??crosoft\\netdde.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "TCASUTIEXE"="TCAUDIAG -off" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe" "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,c0 "OriginalStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,\ 00,00,04,00,00,c0 "RestoredStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgdca HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Thu 10/05/2006 23:12:29.01 ComboFix.txt ComboFix2.txt ComboFix3.txt HIJACKTHIS Logfile of HijackThis v1.99.1 Scan saved at 11:16:22 PM, on 10/5/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Apoint\Apntex.exe C:\Program Files\Internet Explorer\iexplore.exe C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - _{A2DDB8FC-566A-5FE7-1402-2CF07DCB6093} - (no file) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\System32\ICROSO~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Ces] C:\Program Files\??crosoft\netdde.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
|
|
|
10-06-2006, 07:33 AM
|
#18 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
I suspect you may have an infection which hides from HiJack This
I'd like you to rename HijackThis.exe to doom.exe.
Please post a new re-named HJT log |
|
|
|
|
10-06-2006, 09:04 AM
|
#19 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Change of plans. Disregard my last post
Please submit this file to: http://www.bleepingcomputer.com/subm....php?channel=4 C:\WINDOWS\SYSTEM32\nst63.dll Please include a link to this thread ---------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - _{A2DDB8FC-566A-5FE7-1402-2CF07DCB6093} - (no file) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\System32\ICROSO~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Ces] C:\Program Files\??crosoft\netdde.exe Please remember to close all other windows, including browsers then click Fix checked. ---------------------------------------- ComboFix 1. Download this file - You MUST save it to your desktop http://download.bleepingcomputer.com/sUBs/combofix.exe or http://www.techsupportforum.com/sectools/combofix.exe  2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK "C:\Documents and Settings\Puraj\Desktop\combofix.exe" /v hgdca nem220 dpz awtqqrs xmcniwbk 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------- Please download AVG Anti-Spyware 7.5
We will use this later ---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: VSToolbar for Internet Explorer Internet Optimizer SystemDoctor 2006 Free ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\VSToolbar C:\Documents and Settings\Puraj\Application Data\SearchToolbarCorp C:\Program Files\em C:\Program Files\mm C:\Program Files\Internet Optimizer C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free C:\Program Files\Common Files\Yazzle1281OinAdmin.exe C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- Please return and post these items immediately: ComboFix log A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode ---------------------------------------- After posting the above logs, please run this scanner Kaspersky - Extended Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
* Turn off the real time scanner of any existing antivirus program while performing the online scan Please post the Kaspersky log. |
|
|
|
|
10-11-2006, 01:29 AM
|
#20 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 19
OS: XP
|
I submitted the indicated file for examination.
Everything progressed smoothly except for my attempt to remove VSTOOLBAR using "add/remove programs." When I click "remove," nothing happens. It is as if it is preventing me from removing it. Here are the combofix and HJT logs. THANK YOU! COMBOFIX Puraj - 06-10-11 0:10:51.09 Service Pack 1 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop" Command switches used :: /v hgdca nem220 dpz awtqqrs xmcniwbk (((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log ))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\hgdca.dll C:\WINDOWS\system32\dpz.dll C:\WINDOWS\system32\awtqqrs.dll C:\WINDOWS\system32\xmcniwbk.dll C:\WINDOWS\system32\acdgh.bak1 C:\WINDOWS\system32\acdgh.bak2 C:\WINDOWS\system32\acdgh.ini * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((( Files Created from 2006-09-11 to 2006-10-11 )))))))))))))))))))))))))))))))))) 2006-10-10 07:39 78,848 --a------ C:\WINDOWS\SYSTEM32\nstFD.dll 2006-10-10 07:39 78,848 --a------ C:\WINDOWS\SYSTEM32\nsrFC.dll 2006-10-05 22:28 36,608 --a------ C:\WINDOWS\nem220.dll 2006-10-03 14:08 761,856 --a------ C:\WINDOWS\SYSTEM32\xvidcore.dll 2006-10-03 14:07 180,224 --a------ C:\WINDOWS\SYSTEM32\xvidvfw.dll 2006-09-28 06:24 75,264 --a------ C:\WINDOWS\SYSTEM32\nss83.dll 2006-09-28 06:24 75,264 --a------ C:\WINDOWS\SYSTEM32\nsdE6.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-08 13:41 -------- d-------- C:\Program Files\PokerStars 2006-10-06 08:05 -------- d-------- C:\Program Files\diabloII 2006-10-05 23:18 -------- d-------- C:\Program Files\Common Files 2006-10-05 22:35 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SearchToolbarCorp 2006-10-05 19:09 -------- d-------- C:\Program Files\Microsoft Works 2006-10-05 19:09 -------- d-------- C:\Program Files\Microsoft Picture It! 2002 2006-10-05 19:09 -------- d-------- C:\Program Files\Messenger 2006-10-05 19:09 -------- d-------- C:\Program Files\Apoint 2006-10-03 14:11 -------- d-------- C:\Program Files\WinRAR 2006-10-03 14:08 -------- d-------- C:\Program Files\XviD 2006-09-28 16:42 -------- d-------- C:\Program Files\QuickTime 2006-09-28 16:41 -------- d-------- C:\Program Files\iTunes 2006-09-27 11:31 -------- d-------- C:\Program Files\Servant Salamander 2.0 2006-09-26 19:41 -------- d-------- C:\Program Files\Windows NT 2006-09-26 19:40 -------- d-------- C:\Program Files\ComPlus Applications 2006-09-25 17:48 -------- d-------- C:\Program Files\Dell 2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft 2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft 2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly 2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free 2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe 2006-08-14 10:10 -------- d-------- C:\Program Files\Google 2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM 2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" "Aida"="\"C:\\WINDOWS\\System32\\ICROSO~1\\wuauboot.exe\" -vt yazb" "Ces"="C:\\Program Files\\??crosoft\\netdde.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "TCASUTIEXE"="TCAUDIAG -off" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe" "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,c0 "OriginalStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,\ 00,00,04,00,00,c0 "RestoredStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Wed 10/11/2006 0:15:08.59 ComboFix.txt ComboFix2.txt ComboFix3.txt HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 12:26:01 AM, on 10/11/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\notepad.exe C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - _{A2DDB8FC-566A-5FE7-1402-2CF07DCB6093} - (no file) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nstFD.dll O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\AUTOSE~1.DLL O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\System32\ICROSO~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Ces] C:\Program Files\??crosoft\netdde.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
|
|
| Thread Tools | |
|
|
