|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-28-2007, 11:33 AM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Adware problems
This is my first post to "HiJack This" I've followed the 5 steps. The issue that I am getting is that Internet pages keep getting launched without me initiating them. I have Symantec AntiVirus and have been receiving notifications of threats. I've included one of the history files here:
Date,Filename,Threat,Threat Type,Action Taken,Computer,User,Original Location,Status,Current Location,Primary Action,Secondary Action,Scan Type,Action Description 8/28/2007 1:00:23 PM,A0140841.exe,Downloader,File,Quarantined,L14003044,SYSTEM,C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP634\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully. 8/27/2007 10:29:40 PM,f02WtR1065.exe,Downloader,File,Quarantined,L14003044,LYNCHGE,C:\WINDOWS\system32\f02WtR\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Manual scan,The file was quarantined successfully. 8/27/2007 7:52:39 PM,ieupdr2.exe,Downloader,File,Quarantined,L14003044,LYNCHGE,C:\Documents and Settings\lynchge\Desktop\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully. 8/27/2007 7:52:33 PM,msiesettings[1].exe,Downloader,File,Quarantined,L14003044,LYNCHGE,C:\Documents and Settings\lynchge\Local Settings\Temporary Internet Files\Content.IE5\KR3JEGLL\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully. Here is the Deckard log: Deckard's System Scanner v20070826.66 Run by LYNCHGE on 2007-08-28 12:36:40 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 84: 2007-08-28 16:36:49 UTC - RP635 - Deckard's System Scanner Restore Point 83: 2007-08-28 00:52:20 UTC - RP634 - System Checkpoint 82: 2007-08-26 21:56:25 UTC - RP633 - System Checkpoint 81: 2007-08-25 19:30:05 UTC - RP632 - System Checkpoint 80: 2007-08-24 12:34:18 UTC - RP631 - System Checkpoint -- First Restore Point -- 1: 2007-05-31 05:35:14 UTC - RP552 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as LYNCHGE.exe) --------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-08-28 12:38:40 Platform: Windows XP Service Pack 1 (5.01.2600) MSIE: Internet Explorer (6.00.2800.1106) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\LANDesk\Shared Files\residentAgent.exe C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\command.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\LANDesk\LDClient\LocalSch.EXE C:\WINDOWS\system32\cba\PDS.EXE C:\Program Files\LANDesk\LDClient\QIPCLNT.EXE C:\Program Files\LANDesk\LDClient\Tmcsvc.exe C:\Program Files\LANDesk\LDClient\issuser.exe C:\WINDOWS\system32\LxrJD31s.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\scardsvr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Verizon Wireless\venturi\Client\VentC.exe C:\WINDOWS\system32\WLTRYSVC.EXE C:\WINDOWS\system32\BCMWLTRY.EXE C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\MSGSYS.EXE C:\WINDOWS\explorer.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Windows NT\mehewo22011.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\My Downloads\dss.exe C:\HijackThis\LYNCHGE.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll O4 - HKEY_LOCAL_MACHINE\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKEY_LOCAL_MACHINE\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKEY_LOCAL_MACHINE\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" O4 - HKEY_LOCAL_MACHINE\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKEY_LOCAL_MACHINE\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKEY_LOCAL_MACHINE\..\Run: [mehewo] C:\Program Files\Windows NT\mehewo22011.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: Logitech Harmony Remote Software 7.lnk = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: https://turbotax.com (HKCU) O15 - Trusted Zone: http://turbotax.com (HKCU) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...1F/wmvadvd.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.co...063.4005671296 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\Software\..\Telephony: DomainName = us.ray.com O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = us.ray.com O17 - HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: Domain = us.ray.com O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = us.ray.com O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - "C:\Program Files\LANDesk\Shared Files\residentagent.exe" O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\command.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\cba\PDS.EXE O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\QIPCLNT.EXE O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\Tmcsvc.exe O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe /SERVICE O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\system32\LxrJD31s.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe service O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - C:\Program Files\Verizon Wireless\venturi\Client\VentC.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe -- HijackThis Fixed Entries (C:\HIJACK~1\backups\) ----------------------------- backup-20070124-121626-144 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-253 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-279 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-294 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-336 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-411 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-440 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-557 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-610 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-649 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-803 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121626-835 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-103 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-201 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-213 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-233 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-260 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-271 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-318 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-335 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-343 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-368 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-396 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-400 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-414 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-426 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-439 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-453 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-509 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-517 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-577 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-599 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-606 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-609 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-634 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-645 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-667 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-671 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-674 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-680 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-684 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-713 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-741 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-767 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-781 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-788 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-813 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-900 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-912 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-121627-955 O1 - Hosts: 138.126.80.53 ZUMMO #ZUMMO.MCK.US.RAY.COM backup-20070124-130720-102 O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R2 CiSmBios - c:\windows\system32\drivers\cismbios.sys R2 LxrJD31d - c:\windows\system32\drivers\lxrjd31d.sys R2 SprintPort (SprintPort Serial Driver) - c:\program files\novatel wireless\sprintport\winport.sys <Not Verified; 3Com; 3Com -- winport.sys> S3 EConvBox (USB Embroidery Conversion Box) - c:\windows\system32\drivers\econvbox.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys (file missing) S3 Intel Remote Control Helper - c:\windows\system32\drivers\rch.sys S3 Novatel (Novatel Wireless Network Adapter) - c:\windows\system32\drivers\nwc201.sys (file missing) S3 SocketQuadSerial (Novatel Wireless CDMA 1.9GHz Modem driver) - c:\windows\system32\drivers\nvtlg2k.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 CBA8 (LANDesk(R) Management Agent) - "c:\program files\landesk\shared files\residentagent.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk(R) Management Agent> R2 cmdService (Command Service) - c:\windows\umf5dghlb24gq29tcgfueq\command.exe R2 Intel Local Scheduler Service - c:\program files\landesk\ldclient\localsch.exe <Not Verified; LANDesk Software Ltd.; LANDeskŪ Management Suite> R2 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; LANDesk Software Ltd.; Intel Common Base Agent> R2 Intel QIP Client Service - c:\program files\landesk\ldclient\qipclnt.exe <Not Verified; LANDesk Software Ltd.; LANDeskŪ Management Suite> R2 Intel Targeted Multicast (LANDesk Targeted Multicast) - c:\program files\landesk\ldclient\tmcsvc.exe <Not Verified; LANDesk Software Ltd.; LANDeskŪ Management Suite> R2 ISSUSER (LANDesk Remote Control Service) - c:\progra~1\landesk\ldclient\issuser.exe /service <Not Verified; LANDesk Software, Ltd.; LANDeskŪ Management Suite> R2 LxrJD31s (Lexar JD31) - lxrjd31s.exe R2 Network Monitor - c:\program files\network monitor\netmon.exe service R2 Venturi2 (Venturi Client) - c:\program files\verizon wireless\venturi\client\ventc.exe <Not Verified; Venturi Wireless; VentC> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA -- Files created between 2007-07-28 and 2007-08-28 ----------------------------- 2007-08-28 12:16:32 0 d-------- C:\ie-spyad_zo 2007-08-28 09:22:14 0 d-------- C:\WINDOWS\System32\ActiveScan 2007-08-28 08:50:57 0 d-------- C:\Program Files\SpywareBlaster 2007-08-27 18  20 0 dr-h----- C:\Documents and Settings\lynchge\Recent2007-08-27 16:38:22 687592 --a------ C:\WINDOWS\System32\atmtd.dll 2007-08-27 16:38:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon 2007-08-27 16:38:12 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs 2007-08-27 16:38:12 0 d--hs---- C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ 2007-08-27 16:38:12 0 d-------- C:\Program Files\Network Monitor 2007-08-27 16:38:09 0 d-------- C:\WINDOWS\System32\tempsz11 2007-08-27 16:38:09 0 d-------- C:\WINDOWS\System32\IBD4 2007-08-27 16:38:09 0 d-------- C:\WINDOWS\System32\drvfig32 2007-08-27 16:38:07 0 d-------- C:\WINDOWS\System32\f02WtR 2007-08-12 20:05:37 0 d-------- C:\Program Files\WinBudget 2007-08-10 18:08:01 0 d-------- C:\Documents and Settings\lynchge\Contacts 2007-08-10 18:07:18 0 d------c- C:\WINDOWS\System32\DRVSTORE 2007-08-10 18:07:08 0 d-------- C:\Program Files\MSN Messenger -- Find3M Report --------------------------------------------------------------- 2007-08-28 11:38:18 0 d-------- C:\Program Files\Windows NT 2007-08-28 11:36:37 0 d-------- C:\Program Files\Symantec AntiVirus 2007-08-28 11:27:09 0 d-------- C:\Program Files\Google 2007-08-28 11:26:35 0 d-------- C:\Program Files\eFax Messenger 4.2 2007-08-28 11:26:13 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-28 11:23:59 0 d-------- C:\Program Files\Apoint 2007-08-28 05:47:59 125141 --a------ C:\WINDOWS\System32\nvModes.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}] 08/12/2007 08:05 PM 176128 --a------ C:\Program Files\WinBudget\bin\matrix.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [01/18/2007 10:16 PM] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [01/18/2007 10:16 PM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/18/2007 10:16 PM] "vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [01/18/2007 10:16 PM] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/26/2004 12:01 PM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/18/2007 10:16 PM] "SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [01/18/2007 10:16 PM] "CfgDownload"="C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" [01/18/2007 10:16 PM] "Broadcom Wireless Manager UI"="C:\WINDOWS\System32\WLTRAY.exe" [01/18/2007 10:16 PM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/18/2007 10:16 PM] "eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [01/18/2007 10:16 PM] "mehewo"="C:\Program Files\Windows NT\mehewo22011.exe" [08/07/2007 04:30 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [08/29/2002 08:00 AM] "Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [01/18/2007 10:16 PM] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [12/19/2006 12:09:08 PM] Logitech Harmony Remote Software 7.lnk - C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe [1/25/2007 5:19:58 PM] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSimpleStartMenu"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=localadmin.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0] "Script"=LegalNotice.vbs [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot -- End of Deckard's System Scanner: finished at 2007-08-28 12:41:49 ------------ I hope I've attached everything that is needed. I have the Hijack this log and Activescan report if needed. George |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-29-2007, 12:31 PM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
Also post the ActiveScan report.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
08-29-2007, 07:56 PM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Re: Adware problems
Here are the logs.
Thanks for the help. George Combofix log: ComboFix 07-08-30.2 - "LYNCHGE" 2007-08-29 21:34:03.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.382 [GMT -4:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\lynchge\APPLIC~1\install.dat C:\DOCUME~1\lynchge\APPLIC~1\microsoft\internet explorer\quick launch\intern~1.lnk C:\Program Files\network monitor C:\Program Files\network monitor\netmon.exe C:\Program Files\Windows NT\mehewo22011.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINDOWS\system32\atmtd.dll C:\WINDOWS\system32\atmtd.dll._ C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\ntos.exe C:\WINDOWS\system32\wsnpoem C:\WINDOWS\system32\wsnpoem\audio.dll C:\WINDOWS\system32\wsnpoem\video.dll C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\asappsrv.dll C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\command.exe C:\WINDOWS\uninstall_nmon.vbs ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR -------\cmdService -------\Network Monitor ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 ))))))))))))))))))))))))))))))) 2007-08-29 21:33 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-28 12:36 <DIR> d-------- C:\Deckard 2007-08-28 12:16 <DIR> d-------- C:\ie-spyad_zo 2007-08-28 09:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-28 08:50 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-27 16:38 <DIR> d--hs---- C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ 2007-08-27 16:38 <DIR> d-------- C:\WINDOWS\system32\tempsz11 2007-08-27 16:38 <DIR> d-------- C:\WINDOWS\system32\IBD4 2007-08-27 16:38 <DIR> d-------- C:\WINDOWS\system32\drvfig32 2007-08-27 16:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon 2007-08-12 20:05 <DIR> d-------- C:\Program Files\WinBudget 2007-08-10 18:08 <DIR> d-------- C:\DOCUME~1\lynchge\Contacts 2007-08-10 18:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-08-10 18:07 <DIR> d-------- C:\Program Files\MSN Messenger (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-29 21:39 --------- d-------- C:\Program Files\Symantec AntiVirus 2007-08-28 11:27 --------- d-------- C:\Program Files\Google 2007-08-28 11:26 --------- d-------- C:\Program Files\eFax Messenger 4.2 2007-08-28 11:26 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-28 11:23 --------- d-------- C:\Program Files\Apoint 2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\oAIcx315vZb0kZ6Qw3IRyk.vbs ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-18 22:16] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-01-18 22:16] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-18 22:16] "vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2007-01-18 22:16] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-26 12:01] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-18 22:16] "SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2007-01-18 22:16] "CfgDownload"="C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" [2007-01-18 22:16] "Broadcom Wireless Manager UI"="C:\WINDOWS\System32\WLTRAY.exe" [2007-01-18 22:16] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-18 22:16] "eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2007-01-18 22:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00] "Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2007-01-18 22:16] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSimpleStartMenu"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=localadmin.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0] "Script"=LegalNotice.vbs [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys R2 CBA8;LANDesk(R) Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe" R2 CiSmBios;CiSmBios;C:\WINDOWS\System32\drivers\CiSmBios.sys R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys R2 SprintPort;SprintPort Serial Driver;\??\C:\Program Files\Novatel Wireless\SprintPort\WINPORT.SYS R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\System32\DRIVERS\dne2000.sys R3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys R3 GTICARD;GTICARD;C:\WINDOWS\System32\DRIVERS\gticard.sys R3 ldmirror;ldmirror;C:\WINDOWS\System32\DRIVERS\ldmirror.sys R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\System32\DRIVERS\mirrorflt.sys R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\System32\DRIVERS\NWADIenum.sys R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\System32\DRIVERS\CVirtA.sys S3 EConvBox;USB Embroidery Conversion Box;C:\WINDOWS\System32\Drivers\EConvBox.sys S3 Intel Remote Control Helper;Intel Remote Control Helper;C:\WINDOWS\System32\drivers\rch.sys S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs S3 mf;mf;C:\WINDOWS\System32\DRIVERS\mf.sys S3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys S3 Novatel;Novatel Wireless Network Adapter;C:\WINDOWS\System32\DRIVERS\nwc201.sys S3 SocketQuadSerial;Novatel Wireless CDMA 1.9GHz Modem driver;C:\WINDOWS\System32\DRIVERS\nvtlg2k.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-29 21:39:58 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-29 21:42:30 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-29 21:42 --- E O F --- Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:50, on 2007-08-29 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\LANDesk\Shared Files\residentagent.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\LANDesk\LDClient\LocalSch.EXE C:\WINDOWS\System32\CBA\pds.exe C:\Program Files\LANDesk\LDClient\qipclnt.exe C:\Program Files\LANDesk\LDClient\tmcsvc.exe C:\PROGRA~1\LANDesk\LDClient\issuser.exe C:\WINDOWS\system32\LxrJD31s.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe c:\program files\verizon wireless\venturi\Client\ventc.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\MsgSys.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: Logitech Harmony Remote Software 7.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: http://*.turbotax.com O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.ray.com O17 - HKLM\Software\..\Telephony: DomainName = us.ray.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.ray.com O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\System32\CBA\pds.exe O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 8455 bytes ActiveScan log: Incident Status Location Adware:Adware/TTC Not disinfected C:\Program Files\Windows NT\mehewo22011.exe Adware:Adware/CommAd Not disinfected C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\asappsrv.dll Adware:Adware/SearchAid Not disinfected C:\Program Files\Network Monitor\netmon.exe Adware:Adware/CommAd Not disinfected C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\command.exe Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USDR6_9999_N18M1603NetInstaller.exe Adware:adware/sidestep Not disinfected C:\Documents and Settings\lynchge\Favorites\Sidestep.url Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\siteteam@advertising[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\siteteam@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\siteteam@atwola[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\siteteam@doubleclick[1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\siteteam@servedby.advertising[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@247realmedia[2].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@2o7[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@ad.yieldmanager[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@adrevolver[3].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@ads.addynamix[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@ads.pointroll[1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@advertising[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@apmebf[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@atdmt[2].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@azjmp[2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@burstnet[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@casalemedia[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@com[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@doubleclick[1].txt Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@entrepreneur[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@go[3].txt Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@linksynergy[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@mediaplex[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@questionmarket[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@server.iad.liveperson[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@stats1.reliablestats[1].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@systemdoctor[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@tribalfusion[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@www.burstbeacon[1].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@www.systemdoctor[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\lynchge\Cookies\lynchge@zedo[1].txt Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\lynchge\Local Settings\Temp\ICD1.tmp\USDR6_9999_N18M1603NetInstaller.exe Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\atmtd.dll._ Virus:Trj/Downloader.PUT Disinfected C:\WINDOWS\system32\IBD4\rru22011.exe Adware:Adware/ISearch Not disinfected C:\WINDOWS\system32\tempsz11\bbs001dd.exe Adware:Adware/CommAd Not disinfected C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\oAIcx315vZb0kZ6Qw3IRyk.vbs Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs I also decided to send the Combofix quarranted log: Code:
2003-05-01 19:56 170496 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ntos.exe.vir
2005-08-02 16:46 187904 --a------ C:\Qoobox\Quarantine\C\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\asappsrv.dll.vir
2005-08-02 16:58 293888 --a------ C:\Qoobox\Quarantine\C\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\command.exe.vir
2005-10-11 11:20 104 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\lynchge\APPLIC~1\Microsoft\Internet Explorer\Quick Launch\INTERN~1.LNK.vir
2006-01-03 17:45 1989 --a------ C:\Qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
2006-01-04 18:09 94208 --a------ C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
2007-01-22 17:23 1443213 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\lynchge\APPLIC~1\Install.dat.vir
2007-04-24 12:21 9248 --a------ C:\Qoobox\Quarantine\C\temp\1cb\syscheck.log.vir
2007-08-07 16:30 163840 --a------ C:\Qoobox\Quarantine\C\Program Files\Windows NT\mehewo22011.exe.vir
2007-08-27 16:38 687592 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir
2007-08-27 16:38 687592 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir
2007-08-27 16:38 930 --a------ C:\Qoobox\Quarantine\C\temp\fse\tmpZTF.log.vir
2007-08-29 21:29 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wsnpoem\audio.dll.vir
2007-08-29 21:30 9589 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wsnpoem\video.dll.vir
2007-08-29 21:37 1072 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2007-08-29 21:37 1122 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
2007-08-29 21:37 166963 --a------ C:\Qoobox\Quarantine\catchme2007-08-29_213954.69.zip
2007-08-29 21:37 2700 --a------ C:\Qoobox\Quarantine\Registry_backups\services_cmdService.reg.cf
2007-08-29 21:37 2822 --a------ C:\Qoobox\Quarantine\Registry_backups\services_Network Monitor.reg.cf
2007-08-29 21:37 464 --a------ C:\Qoobox\Quarantine\catchme.log
2007-08-29 21:42 821307 --a------ C:\Qoobox\snapshot_2007-08-29_214207.69.cf
Folder PATH listing
Volume serial number is 71FAE346 7478:1B64
C:\QOOBOX
| snapshot_2007-08-29_214207.69.cf
|
\---Quarantine
| catchme.log
| catchme2007-08-29_213954.69.zip
|
+---C
| +---ComboFix
| +---DOCUME~1
| | \---lynchge
| | \---APPLIC~1
| | | Install.dat.vir
| | |
| | \---Microsoft
| | \---Internet Explorer
| | \---Quick Launch
| | INTERN~1.LNK.vir
| |
| +---Program Files
| | +---Network Monitor
| | | netmon.exe.vir
| | |
| | \---Windows NT
| | mehewo22011.exe.vir
| |
| +---temp
| | +---1cb
| | | syscheck.log.vir
| | |
| | \---fse
| | tmpZTF.log.vir
| |
| \---WINDOWS
| | uninstall_nmon.vbs.vir
| |
| +---system32
| | | atmtd.dll.vir
| | | atmtd.dll._.vir
| | | ntos.exe.vir
| | |
| | \---wsnpoem
| | audio.dll.vir
| | video.dll.vir
| |
| \---UmF5dGhlb24gQ29tcGFueQ
| asappsrv.dll.vir
| command.exe.vir
|
\---Registry_backups
LEGACY_CMDSERVICE.reg.cf
LEGACY_NETWORK_MONITOR.reg.cf
services_cmdService.reg.cf
services_Network Monitor.reg.cf
Last edited by George2244; 08-29-2007 at 08:00 PM. |
|
|
|
|
08-29-2007, 08:13 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Hello, George -
Do you have the extra.txt from the initial run of DSS? It should be located at C:\Deckard\System Scanner\extra.txt Please post it. Have you intentionally installed a program called WinBudget?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
08-30-2007, 10:32 AM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Re: Adware problems
No I have not installed Winbudget that I can recall. Here is the extra.txt file:
Deckard's System Scanner v20070826.66 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 1.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) M processor 1700MHz Percentage of Memory in Use: 53% Physical Memory (total/avail): 1023.23 MiB / 475.02 MiB Pagefile Memory (total/avail): 2461.07 MiB / 2101.22 MiB Virtual Memory (total/avail): 2047.88 MiB / 1963.72 MiB C: is Fixed (NTFS) - 55.84 GiB total, 13.13 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - HTS548060M9AT00 - 55.89 GiB - 2 partitions \PARTITION0 - Unknown - 39.19 MiB \PARTITION1 (bootable) - Installable File System - 55.84 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is disabled. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\lynchge\Application Data CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=L14003044 ComSpec=C:\WINDOWS\system32\cmd.exe HOMEDRIVE=C: HOMEPATH=\Documents and Settings\lynchge LDMS_LOCAL_DIR=C:\Program Files\LANDesk\LDClient\Data LOGONSERVER=\\E-DC102 NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\IXOS\IXOS-eCONtext\bin;;C:\Program Files\IXOS\IXOS-eCONtext\opt\ORA\bin;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0905 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\lynchge\LOCALS~1\Temp TMP=C:\DOCUME~1\lynchge\LOCALS~1\Temp USERDNSDOMAIN=US.RAY.COM USERDOMAIN=US USERNAME=LYNCHGE USERPROFILE=C:\Documents and Settings\lynchge windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- lynchge (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01} Adobe Acrobat 6.0.1 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001} Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603} Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604} Adobe Acrobat and Reader 6.0.5 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605} Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001} Advanced Networking Pack for Windows XP --> C:\WINDOWS\$NtUninstallKB817778$\spuninst\spuninst.exe ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL Amazing Box --> MsiExec.exe /I{4EDF9A10-98DE-4B74-BEEB-6278AB134559} BlackBerry Desktop Software 4.1 --> MsiExec.exe /i{7F29BE4F-1651-4CFE-AF63-68825B90EE3B} BlackBerry Desktop Software 4.1 --> MsiExec.exe /I{7F29BE4F-1651-4CFE-AF63-68825B90EE3B} Bowflex i-Trainer --> MsiExec.exe /I{4179D189-A9DB-4979-ACC6-E4B02151C9CC} Broadcom Gigabit Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033 Browntech Image Plugin 1.98 --> MsiExec.exe /X{68658FCB-01BB-4980-A7C3-6ADB1E4E0C66} C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Command --> wscript "C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\oAIcx315vZb0kZ6Qw3IRyk.vbs" Conexant D480 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf Data Access Objects (DAO) 3.5 --> C:\Program Files\Common Files\Microsoft Shared\DAO\Remove.EXE C:\WINDOWS\UNINST.EXE -fC:\PROGRA~1\COMMON~1\MICROS~1\DAO\DeIsL1.isu DefaultProductName --> MsiExec.exe /I{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D} Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card" DirectX 9 Hotfix - KB839643 --> C:\WINDOWS\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9} eFax Messenger 4.2 --> C:\Program Files\eFax Messenger 4.2\Uninstall.exe Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B} Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll" High Speed RAS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAA2097C-D6C8-41DD-9C85-15635F536B4B}\Setup.exe" HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F} HijackThis 1.99.1 --> C:\HijackThis\HijackThis.exe /uninstall hp officejet 6100 series --> rundll32 hpzcon07.dll,VendorJettison hp officejet 6100 series Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL iPod for Windows --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033 iTunes --> MsiExec.exe /I{885894A5-BA0A-460E-AB4C-96C5C9B2C5E2} IXOS-eCON Clients --> MsiExec.exe /I{A172C9C8-1C70-11D6-A246-0001020BC164} IXOS-eCON Clients Languages --> MsiExec.exe /I{30ECE66A-C503-4E88-9E3D-4962F568C05E} JD Secure 3.1 --> C:\WINDOWS\System32\JDSecure31.exe /u LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U Logitech Harmony Remote Software 7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe" -l0x9 -removeonly Lotus Notes 6.5.2 --> MsiExec.exe /I{0E342806-C6AF-420E-AE37-611AE807FADE} Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151} Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf Microsoft Location Finder --> MsiExec.exe /I{8D6AE289-7A5E-41B4-A7F0-687C2DAB1B87} Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9} Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9} Microsoft Project Professional 2002 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0050048383C9} Microsoft Visio Viewer 2002 --> MsiExec.exe /I{94F9723E-900A-43C5-8F4E-AD2D2ED09273} Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7} Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs" NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe PCI 7510 CardBus Controller with SmartCard and Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{252F9FB9-FC12-4B08-ADEB-F402BA3A8D28} /l1033 Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe" QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8} Rand McNally StreetFinder Deluxe --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Rand McNally\StreetFinder Deluxe\Uninst.isu" -c"C:\Program Files\Rand McNally\StreetFinder Deluxe\Uninst.dll" RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log SigmaTel AC97 Audio Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x9 -nodialog -uninstall SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" Symantec AntiVirus --> MsiExec.exe /X{848AC794-8B81-440A-81AE-6474337DB527} TM PP RandomShow --> "C:\Documents and Settings\lynchge\Application Data\microsoft\addins\unins000.exe" TurboTax 2005 --> C:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107} TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F} V620 Driver Setup --> MsiExec.exe /I{D744BF30-C1F8-4474-9C6A-446389738887} Venturi Client 3.1.4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C59FA2E-EEDA-41FA-90AC-F8FCBD032E85}\Setup.exe" -l0x9 -vuninstall VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall Vtech i5801 Image Editor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13BDC020-EB6F-4F09-B1F5-68552D643414}\setup.exe" -l0x9 VZAccess Manager --> C:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall -- Application Event Log ------------------------------------------------------- Event Record #/Type12950 / Error Event Submitted/Written: 08/28/2007 08:40:45 AM Event ID/Source: 15 / AutoEnrollment Event Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. Event Record #/Type12949 / Error Event Submitted/Written: 08/28/2007 00:41:57 AM Event ID/Source: 15 / AutoEnrollment Event Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. Event Record #/Type12947 / Error Event Submitted/Written: 08/27/2007 10:31:56 PM Event ID/Source: 5 / Symantec AntiVirus Event Description: Threat Found!Threat: Downloader in File: C:\WINDOWS\system32\f02WtR\f02WtR1065.exe by: Manual scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully. Event Record #/Type12946 / Warning Event Submitted/Written: 08/27/2007 10:31:48 PM Event ID/Source: 6 / Symantec AntiVirus Event Description: Scan could not access Drive D:\ since the device is not ready. Event Record #/Type12945 / Warning Event Submitted/Written: 08/27/2007 10:27:40 PM Event ID/Source: 6 / Symantec AntiVirus Event Description: Scan could not open file C:\WINDOWS\system32\config\system.LOG [00000003] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type44367 / Warning Event Submitted/Written: 08/28/2007 11:54:53 AM Event ID/Source: 36 / W32Time Event Description: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Event Record #/Type44366 / Warning Event Submitted/Written: 08/28/2007 11:40:51 AM Event ID/Source: 8193 / LSASRV Event Description: The Security System could not establish a secured connection with the server DNS/bos-service1.raytheon.com. No authentication protocol was available. Event Record #/Type44365 / Warning Event Submitted/Written: 08/28/2007 11:40:51 AM Event ID/Source: 8192 / LSASRV Event Description: The Security System detected an attempted downgrade attack for server DNS/bos-service1.raytheon.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)". Event Record #/Type44364 / Warning Event Submitted/Written: 08/28/2007 09:41:08 AM Event ID/Source: 8193 / LSASRV Event Description: The Security System could not establish a secured connection with the server DNS/bos-service1.raytheon.com. No authentication protocol was available. Event Record #/Type44363 / Warning Event Submitted/Written: 08/28/2007 09:41:08 AM Event ID/Source: 8192 / LSASRV Event Description: The Security System detected an attempted downgrade attack for server DNS/bos-service1.raytheon.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)". -- End of Deckard's System Scanner: finished at 2007-08-28 12:41:49 ------------ |
|
|
|
|
08-30-2007, 10:46 AM
|
#6 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Thanks, George.
Let's continue. Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
08-30-2007, 12:30 PM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Re: Adware problems
Tentobob,
enclosed is the log but I wanted to tell you I received a failure message that I didn't get to read before it went away and I had a difficult time rebooting. Tried several times, finally rebooted while holding the f12 key. George ComboFix 07-08-30.2 - "LYNCHGE" 2007-08-30 13:17:55.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.583 [GMT -4:00] Command switches used :: C:\HijackThis\CFScript.txt * Created a new restore point FILE:: c:\windows\downloaded program files\USDR6_9999_N18M1603NetInstaller.exe C:\Documents and Settings\lynchge\Favorites\Sidestep.url C:\Documents and Settings\lynchge\Local Settings\Temp\ICD1.tmp\USDR6_9999_N18M1603NetInstaller.exe ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\LOCALS~1\Applic~1\NetMon C:\DOCUME~1\LOCALS~1\Applic~1\NetMon\domains.txt C:\DOCUME~1\LOCALS~1\Applic~1\NetMon\log.txt C:\Documents and Settings\lynchge\Favorites\Sidestep.url C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\crap.1186963538.old C:\Program Files\WinBudget\bin\matrix.dll C:\WINDOWS\system32\drvfig32 C:\WINDOWS\system32\IBD4 C:\WINDOWS\system32\tempsz11 C:\WINDOWS\system32\tempsz11\bbs001dd.exe C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ C:\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\oAIcx315vZb0kZ6Qw3IRyk.vbs ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 ))))))))))))))))))))))))))))))) 2007-08-29 21:48 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-29 21:33 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-28 12:36 <DIR> d-------- C:\Deckard 2007-08-28 12:16 <DIR> d-------- C:\ie-spyad_zo 2007-08-28 09:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-28 08:50 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-10 18:08 <DIR> d-------- C:\DOCUME~1\lynchge\Contacts 2007-08-10 18:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-08-10 18:07 <DIR> d-------- C:\Program Files\MSN Messenger (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-30 14:21 --------- d-------- C:\Program Files\Symantec AntiVirus 2007-08-28 11:27 --------- d-------- C:\Program Files\Google 2007-08-28 11:26 --------- d-------- C:\Program Files\eFax Messenger 4.2 2007-08-28 11:26 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-28 11:23 --------- d-------- C:\Program Files\Apoint ((((((((((((((((((((((((((((( snapshot_2007-08-29_214207.69 ))))))))))))))))))))))))))))))))))))))))) ----a-w 125,141 2007-08-30 12:30:42 C:\WINDOWS\system32\nvModes.dat ----a-w 40,394 2007-08-30 01:47:03 C:\WINDOWS\system32\perfc009.dat ----a-w 312,172 2007-08-30 01:47:03 C:\WINDOWS\system32\perfh009.dat ----a-w 125,141 2007-08-29 19:26:02 C:\WINDOWS\system32\nvModes.dat ----a-w 40,394 2007-08-30 01:41:23 C:\WINDOWS\system32\perfc009.dat ----a-w 312,172 2007-08-30 01:41:23 C:\WINDOWS\system32\perfh009.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-18 22:16] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-01-18 22:16] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-18 22:16] "vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2007-01-18 22:16] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-26 12:01] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-18 22:16] "SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2007-01-18 22:16] "CfgDownload"="C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" [2007-01-18 22:16] "Broadcom Wireless Manager UI"="C:\WINDOWS\System32\WLTRAY.exe" [2007-01-18 22:16] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-18 22:16] "eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2007-01-18 22:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00] "Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2007-01-18 22:16] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSimpleStartMenu"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=localadmin.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0] "Script"=LegalNotice.vbs [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys R2 CBA8;LANDesk(R) Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe" R2 CiSmBios;CiSmBios;C:\WINDOWS\System32\drivers\CiSmBios.sys R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys R2 SprintPort;SprintPort Serial Driver;\??\C:\Program Files\Novatel Wireless\SprintPort\WINPORT.SYS R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\System32\DRIVERS\dne2000.sys R3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys R3 GTICARD;GTICARD;C:\WINDOWS\System32\DRIVERS\gticard.sys R3 ldmirror;ldmirror;C:\WINDOWS\System32\DRIVERS\ldmirror.sys R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\System32\DRIVERS\mirrorflt.sys R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\System32\DRIVERS\NWADIenum.sys R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\System32\DRIVERS\CVirtA.sys S3 EConvBox;USB Embroidery Conversion Box;C:\WINDOWS\System32\Drivers\EConvBox.sys S3 Intel Remote Control Helper;Intel Remote Control Helper;C:\WINDOWS\System32\drivers\rch.sys S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs S3 mf;mf;C:\WINDOWS\System32\DRIVERS\mf.sys S3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys S3 Novatel;Novatel Wireless Network Adapter;C:\WINDOWS\System32\DRIVERS\nwc201.sys S3 SocketQuadSerial;Novatel Wireless CDMA 1.9GHz Modem driver;C:\WINDOWS\System32\DRIVERS\nvtlg2k.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-30 14:21:40 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-30 14:22:59 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-30 14:22 C:\ComboFix2.txt ... 2007-08-29 21:42 --- E O F --- |
|
|
|
|
08-30-2007, 04:15 PM
|
#8 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Is the system currently stable? Does it restart normally?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
08-31-2007, 09:10 AM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Hi George -
Please perform this online scan to look for any remnants: Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
08-31-2007, 03:20 PM
|
#11 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Re: Adware problems
Tetonbob,
Here is the Kaspersky report: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT 2007-08-31 17:15 Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 31/08/2007 Kaspersky Anti-Virus database records: 401518 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 73541 Number of viruses found: 13 Number of infected objects: 33 Number of suspicious objects: 0 Duration of the scan process: 01:46:08 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\DOCUME~1\lynchge\LOCALS~1\Temp\ICD1.tmp\USDR6_9999_N18M1603NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.q skipped C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.q skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700000.VBN Infected: Trojan-Downloader.Win32.Agent.brq skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700001.VBN Infected: Trojan-Downloader.Win32.VB.axa skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700002.VBN Infected: Trojan-Downloader.Win32.VB.axa skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700003.VBN Infected: Trojan-Downloader.Win32.VB.axa skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700004.VBN Infected: Trojan-Downloader.Win32.VB.axa skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700005.VBN Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700006.VBN Infected: Trojan.Win32.Pakes skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700007.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700008.VBN Infected: Trojan.Win32.Pakes skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07700009.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0770000A.VBN Infected: Trojan.Win32.Pakes skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0770000B.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C00001.VBN Infected: Trojan-Downloader.Win32.Delf.biu skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C00002.VBN Infected: Trojan-Downloader.Win32.Delf.biu skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C00003.VBN Infected: Trojan-Downloader.Win32.VB.bgd skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FE40000.VBN Infected: Trojan-Downloader.Win32.VB.bgd skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\lynchge\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped C:\Documents and Settings\lynchge\Application Data\Microsoft\Word\STARTUP\DocuShare.dot Object is locked skipped C:\Documents and Settings\lynchge\Cookies\index.dat Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\History\History.IE5\MSHist012007083120070901\index.dat Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\Acr2999.tmp Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\AcrB.tmp Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\AcrF.tmp Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\hsperfdata_LYNCHGE\3100 Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\~DF9F2F.tmp Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\~DFA41A.tmp Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\~DFAC2C.tmp Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temp\~WRF0000.tmp Object is locked skipped C:\Documents and Settings\lynchge\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\lynchge\Logitech\Monitor\LogitechLock Object is locked skipped C:\Documents and Settings\lynchge\NTUSER.DAT Object is locked skipped C:\Documents and Settings\lynchge\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\HijackThis\backups\backup-20070124-130720-102.dll Infected: not-a-virus:AdWare.Win32.BHO.by skipped C:\Program Files\Verizon Wireless\venturi\Client\vent2.log Object is locked skipped C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped C:\QooBox\Quarantine\C\Program Files\Windows NT\mehewo22011.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.c skipped C:\QooBox\Quarantine\C\WINDOWS\system32\tempsz11\bbs001dd.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped C:\QooBox\Quarantine\C\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped C:\QooBox\Quarantine\C\WINDOWS\UmF5dGhlb24gQ29tcGFueQ\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP563\A0136533.old/EXE-file Infected: not-a-virus:AdWare.Win32.BHO.by skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP563\A0136533.old Embedded EXE: infected - 1 skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP634\A0140844.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP634\A0140844.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP637\A0140898.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP637\A0140899.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP637\A0140900.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP637\A0140901.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP638\A0141056.exe Infected: Trojan-Downloader.Win32.Small.buy skipped C:\System Volume Information\_restore{9F2E4F2F-624B-4622-B1B8-AA53D38F2133}\RP640\change.log Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped C:\WINDOWS\CSC\00000001 Object is locked skipped C:\WINDOWS\Debug\Netlogon.log Object is locked skipped C:\WINDOWS\Debug\oakley.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
08-31-2007, 05:44 PM
|
#12 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Please post a new HijackThis log as requested.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
08-31-2007, 05:57 PM
|
#13 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Re: Adware problems
Logfile of HijackThis v1.99.1
Scan saved at 19:57, on 2007-08-31 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\LANDesk\Shared Files\residentagent.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\LANDesk\LDClient\LocalSch.EXE C:\WINDOWS\System32\CBA\pds.exe C:\Program Files\LANDesk\LDClient\qipclnt.exe C:\Program Files\LANDesk\LDClient\tmcsvc.exe C:\PROGRA~1\LANDesk\LDClient\issuser.exe C:\WINDOWS\system32\LxrJD31s.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe c:\program files\verizon wireless\venturi\Client\ventc.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MsgSys.EXE C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe C:\WINDOWS\System32\WISPTIS.EXE C:\Program Files\internet explorer\iexplore.exe C:\HijackThis\LYNCHGE.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: Logitech Harmony Remote Software 7.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: http://*.turbotax.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.ray.com O17 - HKLM\Software\..\Telephony: DomainName = us.ray.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.ray.com O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\System32\CBA\pds.exe O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe |
|
|
|
|
08-31-2007, 06:25 PM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Thanks, George. Looks good.
Most of those items found by Kaspersky are in Symantec quarantine. They are safe there, but you may want to remove them finally from the system from within the application's interface. Your logs appear clean.You should be good to go. We still have a few items to address. C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it Please also delete ComboFix.exe C:\Deckard is DSS working folder. It can be safely deleted. Also delete dss.exe C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while. Reset hidden/system files and folders
Clear & Reset System Restore's Cache
Enable Windows Auto Update
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 08-31-2007 at 06:27 PM. |
|
|
|
|
09-01-2007, 07:12 AM
|
#15 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Re: Adware problems
Tetonbob,
I did all of the steps in your last post. Thanks for your help. There appears to be one artifact of all this that has developed. When I right click on "My Computer" a Symantec Windows Installer immediately launches. It goes through several steps then ends with an error "the feature you are trying to use is on a network service that is unavailable" to which I cancel and then it returns "error 1706. No valid source could be found for product Symantec AntiVirus. The windows Installer can not continue" This computer use to be my work computer that was on my work network. When I retired I was given the computer. Any ideas? George |
|
|
|
|
09-01-2007, 09:11 AM
|
#16 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
It would appear Symantec is looking for the installer package which is located on the network. Not sure how to solve that other than a re-install of the software, connect the machine to the network again so it can find what it's looking for, or to ask Symantec.
Is Symantec current? Is the subscription about to expire? It might also be a good time to change AV solutions. I can give you links to great free AV products if you like.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
09-01-2007, 10:42 AM
|
#17 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 9
OS: windows xp
|
Re: Adware problems
Tetonbob,
Since I can't get back on the network, I'm open to going to another AV sw package. I also wanted to ask if you're familar with a sw package called Safe XP? I was thinking of downloading it. I had nieces visiting and since they were here MSN Messenger starts up every time I turn the computer on. I've looked in all the Startup locations but can't see where to kill it. Safe XP said they can kill it. George |
|
|
|
|
09-01-2007, 11:43 AM
|
#18 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Adware problems
Hi George -
I'm not sure if the tool on this site with help with the Symantec version you have, but it is very useful in removing Norton, which can prove to be something of a pain to uninstall completely. http://basconotw.mvps.org/SymRem.htm Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Here are a couple of free Firewall programs. Using a third-party firewall will allow you to give/deny access for applications that want to go online. . I've not heard of or used SafeXP. I'm a bit wary of registry tweaking programs. Looks like they are referring to Windows Messenger, though, not MSN Messenger: Block Windows Messenger (spam) vulnerabilities. For the MSN Messenger question, there's a couple things you can do: Go into MSN Messenger, and in the Tools > Options > General section, there should be a box to uncheck for "Start with Windows" or something like that. I'm using an older version, so it may have changed slightly. I uncheck anything to do with auto logon or auto start for that program. Or.... Fix this entry with HijackThis: O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
